DragonFly submit List (threaded) for 2008-12
DragonFly BSD
DragonFly submit List (threaded) for 2008-12
[Date Prev][Date Next]  [Thread Prev][Thread Next]  [Date Index][Thread Index]

suser to priv conversion patch


From: Michael Neumann <mneumann@xxxxxxxx>
Date: Mon, 29 Dec 2008 19:16:02 +0100

Hi,

I've attached a patch that replaces suser(9) with priv(9).  Priv(9) is a
new API used by FreeBSD, and what it adds is fine-grained control over
which privelges are requested (and granted in turn).

So instead of

suser(td)

you write:

priv_check(td, PRIV_ROOT);

This will request ROOT privileges (which is equivalent to the suser()
call above). Of course PRIV_ROOT is not recommended and only serves
until all privileges are replaced by more fine grained privileges.

In sys/priv.h all existing privileges are defined.

The new API is as follows:

   int priv_check(struct thread *td, int priv);
   int priv_check_cred(struct ucred *cred, int priv, int flag);

Old suser calls still work, but should be avoided and replaced by the
corresponding priv_* call.

The patch does not (yet) modify the way privileges are granted, i.e.
the implementation is identical to the corresponding suser_*() function.

If no one objects, I'd like to commit this soon to then concentrate on
introducing fine-grained privileges. If possible, I'd like to (later)
get rid of the flags argument of priv_check_cred() (or suser_cred()),
which can be either NULL_CRED_OKAY or PRISON_ROOT, but I've not yet
thought about it throrrowly enough.

Regards,

Michael
commit 57962f80aecf03c023853992fea471246a0adc3a
Author: Michael Neumann <mneumann@ntecs.de>
Date:   Tue Dec 16 21:48:47 2008 +0000

    Use jailed() inline-function

diff --git a/sys/kern/vfs_syscalls.c b/sys/kern/vfs_syscalls.c
index 948c724..3d01f14 100644
--- a/sys/kern/vfs_syscalls.c
+++ b/sys/kern/vfs_syscalls.c
@@ -126,7 +126,7 @@ sys_mount(struct mount_args *uap)
 	struct ucred *cred = p->p_ucred;
 
 	KKASSERT(p);
-	if (cred->cr_prison != NULL)
+	if (jailed(cred))
 		return (EPERM);
 	if (usermount == 0 && (error = priv_check(td, PRIV_ROOT)))
 		return (error);

commit f00b5e4e0872278fd14729354d116502c11cffe5
Author: Michael Neumann <mneumann@ntecs.de>
Date:   Tue Dec 16 21:46:10 2008 +0000

    Use more specific privilege PRIV_VFS_GENERATION

diff --git a/sys/kern/vfs_vnops.c b/sys/kern/vfs_vnops.c
index db2c1ec..cf0ca8e 100644
--- a/sys/kern/vfs_vnops.c
+++ b/sys/kern/vfs_vnops.c
@@ -945,7 +945,9 @@ vn_stat(struct vnode *vp, struct stat *sb, struct ucred *cred)
 	}
 	
 	sb->st_flags = vap->va_flags;
-	if (priv_check_cred(cred, PRIV_ROOT, 0))
+
+	error = priv_check_cred(cred, PRIV_VFS_GENERATION, 0);
+	if (error)
 		sb->st_gen = 0;
 	else
 		sb->st_gen = (u_int32_t)vap->va_gen;

commit 75bda2d9f3adc0b067ea8c5ef2c1ceef0ddd3cab
Author: Michael Neumann <mneumann@ntecs.de>
Date:   Mon Dec 15 16:17:49 2008 +0000

    Fix missing includes

diff --git a/sys/vfs/procfs/procfs_ctl.c b/sys/vfs/procfs/procfs_ctl.c
index f5b260e..3912fd1 100644
--- a/sys/vfs/procfs/procfs_ctl.c
+++ b/sys/vfs/procfs/procfs_ctl.c
@@ -44,6 +44,7 @@
 #include <sys/param.h>
 #include <sys/systm.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/vnode.h>
 #include <sys/ptrace.h>
 #include <sys/signalvar.h>
diff --git a/sys/vfs/procfs/procfs_dbregs.c b/sys/vfs/procfs/procfs_dbregs.c
index 291af64..939a6b5 100644
--- a/sys/vfs/procfs/procfs_dbregs.c
+++ b/sys/vfs/procfs/procfs_dbregs.c
@@ -46,6 +46,7 @@
 
 #include <sys/param.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/vnode.h>
 #include <sys/reg.h>
 #include <vfs/procfs/procfs.h>
diff --git a/sys/vfs/procfs/procfs_fpregs.c b/sys/vfs/procfs/procfs_fpregs.c
index b57d676..7692af3 100644
--- a/sys/vfs/procfs/procfs_fpregs.c
+++ b/sys/vfs/procfs/procfs_fpregs.c
@@ -43,6 +43,7 @@
 
 #include <sys/param.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/vnode.h>
 #include <sys/reg.h>
 #include <vfs/procfs/procfs.h>
diff --git a/sys/vfs/procfs/procfs_mem.c b/sys/vfs/procfs/procfs_mem.c
index 56e6a2b..9d1426e 100644
--- a/sys/vfs/procfs/procfs_mem.c
+++ b/sys/vfs/procfs/procfs_mem.c
@@ -49,6 +49,7 @@
 #include <sys/param.h>
 #include <sys/systm.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/vnode.h>
 #include <vfs/procfs/procfs.h>
 #include <vm/vm.h>
diff --git a/sys/vfs/procfs/procfs_regs.c b/sys/vfs/procfs/procfs_regs.c
index 932b7e9..5e51c71 100644
--- a/sys/vfs/procfs/procfs_regs.c
+++ b/sys/vfs/procfs/procfs_regs.c
@@ -43,6 +43,7 @@
 
 #include <sys/param.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/vnode.h>
 #include <sys/reg.h>
 #include <vfs/procfs/procfs.h>
diff --git a/sys/vfs/procfs/procfs_status.c b/sys/vfs/procfs/procfs_status.c
index 628cf81..9a42620 100644
--- a/sys/vfs/procfs/procfs_status.c
+++ b/sys/vfs/procfs/procfs_status.c
@@ -45,6 +45,7 @@
 #include <sys/systm.h>
 #include <sys/malloc.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/jail.h>
 #include <sys/vnode.h>
 #include <sys/tty.h>

commit 28eeae899942460b3f51aa64811fc3ae0d46797b
Author: Michael Neumann <mneumann@ntecs.de>
Date:   Mon Dec 15 16:05:25 2008 +0000

    Fix missing include

diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c
index 5ebfe17..732659d 100644
--- a/sys/kern/kern_prot.c
+++ b/sys/kern/kern_prot.c
@@ -53,6 +53,7 @@
 #include <sys/kernel.h>
 #include <sys/lock.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/malloc.h>
 #include <sys/pioctl.h>
 #include <sys/resourcevar.h>

commit d46b588e8181306f8e88c9068d70b4a8ab9c54b5
Author: Michael Neumann <mneumann@ntecs.de>
Date:   Mon Dec 15 16:00:10 2008 +0000

    Depreciate suser_*. Instead use priv_check_*.
    
    The suser_* functions now internally call the corresponding
    priv_check_* functions.

diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c
index 68df28e..5ebfe17 100644
--- a/sys/kern/kern_prot.c
+++ b/sys/kern/kern_prot.c
@@ -817,72 +817,76 @@ groupmember(gid_t gid, struct ucred *cred)
 
 /*
  * Test whether the specified credentials imply "super-user"
- * privilege; if so, and we have accounting info, set the flag
- * indicating use of super-powers.  A kernel thread without a process
- * context is assumed to have super user capabilities.  In situations
- * where the caller always expect a cred to exist, the cred should be
- * passed separately and suser_cred()should be used instead of suser().
+ * privilege.
+ * 
+ * Depreciated! Use priv_check() instead. 
+ */
+int
+suser(struct thread *td)
+{
+	return priv_check(td, PRIV_ROOT);
+}
+
+/*
+ * Depreciated! Use priv_check_cred() instead. 
+ */
+int
+suser_cred(struct ucred *cred, int flag)
+{
+	return priv_check_cred(cred, PRIV_ROOT, flag);
+}
+
+/*
+ * Test whether the specified credentials have the privilege
+ * in question.
+ *
+ * A kernel thread without a process context is assumed to have 
+ * the privilege in question.  In situations where the caller always 
+ * expect a cred to exist, the cred should be passed separately and 
+ * priv_check_cred() should be used instead of priv_check().
  *
  * Returns 0 or error.
  */
 int
-suser(struct thread *td)
+priv_check(struct thread *td, int priv)
 {
 	struct proc *p = td->td_proc;
 
 	if (p != NULL) {
-		return suser_cred(p->p_ucred, 0);
+		return priv_check_cred(p->p_ucred, priv, 0);
 	} else {
 		return (0);
 	}
 }
 
 /*
+ * Check a credential for privilege.
+ *
  * A non-null credential is expected unless NULL_CRED_OKAY is set.
  */
 int
-suser_cred(struct ucred *cred, int flag)
+priv_check_cred(struct ucred *cred, int priv, int flags)
 {
-	KASSERT(cred != NULL || flag & NULL_CRED_OKAY,
-		("suser_cred: NULL cred!"));
+	KASSERT(PRIV_VALID(priv), ("priv_check_cred: invalid privilege"));
+
+	KASSERT(cred != NULL || flags & NULL_CRED_OKAY,
+		("priv_check_cred: NULL cred!"));
 
 	if (cred == NULL) {
-		if (flag & NULL_CRED_OKAY)
+		if (flags & NULL_CRED_OKAY)
 			return (0);
 		else
 			return (EPERM);
 	}
 	if (cred->cr_uid != 0) 
 		return (EPERM);
-	if (cred->cr_prison && !(flag & PRISON_ROOT))
+	if (cred->cr_prison && !(flags & PRISON_ROOT))
 		return (EPERM);
 	/* NOTE: accounting for suser access (p_acflag/ASU) removed */
 	return (0);
 }
 
 /*
- * Check for privilege.
- *
- * YYY: For now this is just a wrapper calling suser().
- */
-int
-priv_check(struct thread *td, int priv)
-{
-  return suser(td);
-}
-
-/*
- * Check a credential for privilege.
- *
- * YYY: For now this is just a wrapper calling suser_cred().
- */
-int
-priv_check_cred(struct ucred *cred, int priv, int flags)
-{
-  return suser_cred(cred, flags);
-}
-
-/*
  * Return zero if p1 can fondle p2, return errno (EPERM/ESRCH) otherwise.
  */
 int

commit 895c1f850848cf50a3243e134345f0d4ff33ac59
Author: Michael Neumann <mneumann@ntecs.de>
Date:   Mon Dec 15 14:55:51 2008 +0000

    suser_* to priv_* conversion

diff --git a/sys/dev/disk/ata/atapi-cd.c b/sys/dev/disk/ata/atapi-cd.c
index 413a79e..37f6b6e 100644
--- a/sys/dev/disk/ata/atapi-cd.c
+++ b/sys/dev/disk/ata/atapi-cd.c
@@ -36,6 +36,7 @@
 #include <sys/kernel.h>
 #include <sys/malloc.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/buf.h>
 #include <sys/bus.h>
 #include <sys/disk.h>
@@ -596,7 +597,7 @@ acdioctl(struct dev_ioctl_args *ap)
 
     case CDIOCRESET:
 ;	/* note: if no proc EPERM will be returned */
-	error = suser_cred(ap->a_cred, 0);
+	error = priv_check_cred(ap->a_cred, PRIV_ROOT, 0);
 	if (error)
 	    break;
 	error = atapi_test_ready(cdp->device);
diff --git a/sys/dev/disk/fd/fd.c b/sys/dev/disk/fd/fd.c
index 5d454e6..a50f848 100644
--- a/sys/dev/disk/fd/fd.c
+++ b/sys/dev/disk/fd/fd.c
@@ -72,6 +72,7 @@
 #include <sys/malloc.h>
 #include <sys/module.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/syslog.h>
 #include <sys/device.h>
 #include <sys/bus.h>
@@ -2307,7 +2308,7 @@ fdioctl(struct dev_ioctl_args *ap)
 
 	case FD_STYPE:                  /* set drive type */
 		/* this is considered harmful; only allow for superuser */
-		if (suser_cred(ap->a_cred, 0) != 0)
+		if (priv_check_cred(ap->a_cred, PRIV_ROOT, 0) != 0)
 			return EPERM;
 		fd->ft = *(struct fd_type *)ap->a_data;
 		break;
diff --git a/sys/dev/disk/nata/atapi-cd.c b/sys/dev/disk/nata/atapi-cd.c
index 8934366..5346ee0 100644
--- a/sys/dev/disk/nata/atapi-cd.c
+++ b/sys/dev/disk/nata/atapi-cd.c
@@ -44,6 +44,7 @@
 #include <sys/module.h>
 #include <sys/nata.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/systm.h>
 
 #include "ata-all.h"
@@ -345,7 +346,7 @@ acd_ioctl(struct dev_ioctl_args *ap)
 	break;
 
     case CDIOCRESET:
-	error = suser_cred(ap->a_cred, 0);
+	error = priv_check_cred(ap->a_cred, PRIV_ROOT, 0);
 	if (error)
 	    break;
 	error = acd_test_ready(dev);
diff --git a/sys/dev/disk/vn/vn.c b/sys/dev/disk/vn/vn.c
index e012a26..a6f9342 100644
--- a/sys/dev/disk/vn/vn.c
+++ b/sys/dev/disk/vn/vn.c
@@ -61,6 +61,7 @@
 #include <sys/systm.h>
 #include <sys/kernel.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/nlookup.h>
 #include <sys/buf.h>
 #include <sys/malloc.h>
@@ -479,7 +480,7 @@ vnioctl(struct dev_ioctl_args *ap)
 
     vn_specific:
 
-	error = suser_cred(ap->a_cred, 0);
+	error = priv_check_cred(ap->a_cred, PRIV_ROOT, 0);
 	if (error)
 		return (error);
 
diff --git a/sys/dev/drm/drmP.h b/sys/dev/drm/drmP.h
index f1c8519..859e639 100644
--- a/sys/dev/drm/drmP.h
+++ b/sys/dev/drm/drmP.h
@@ -48,9 +48,7 @@ typedef struct drm_file drm_file_t;
 #include <sys/systm.h>
 #include <sys/conf.h>
 #include <sys/stat.h>
-#if __FreeBSD_version >= 700000
 #include <sys/priv.h>
-#endif
 #include <sys/proc.h>
 #include <sys/lock.h>
 #include <sys/fcntl.h>
@@ -276,11 +274,7 @@ enum {
 #if defined(__FreeBSD__) || defined(__DragonFly__)
 #define PAGE_ALIGN(addr) round_page(addr)
 /* DRM_SUSER returns true if the user is superuser */
-#if __FreeBSD_version >= 700000
 #define DRM_SUSER(p)		(priv_check(p, PRIV_DRIVER) == 0)
-#else
-#define DRM_SUSER(p)		(suser(p) == 0)
-#endif
 #define DRM_AGP_FIND_DEVICE()	agp_find_device()
 #define DRM_MTRR_WC		MDF_WRITECOMBINE
 #define jiffies			ticks
diff --git a/sys/dev/misc/dcons/dcons_os.c b/sys/dev/misc/dcons/dcons_os.c
index cf71142..a8edd34 100644
--- a/sys/dev/misc/dcons/dcons_os.c
+++ b/sys/dev/misc/dcons/dcons_os.c
@@ -50,6 +50,7 @@
 #include <sys/tty.h>
 #include <sys/malloc.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/thread2.h>
 #include <sys/ucred.h>
 #include <sys/bus.h>
@@ -272,7 +273,7 @@ dcons_open(struct dev_open_args *ap)
 		tp->t_lflag = TTYDEF_LFLAG;
 		tp->t_ispeed = tp->t_ospeed = TTYDEF_SPEED;
 		ttsetwater(tp);
-	} else if ((tp->t_state & TS_XCLUDE) && suser_cred(ap->a_cred, 0)) {
+	} else if ((tp->t_state & TS_XCLUDE) && priv_check_cred(ap->a_cred, PRIV_ROOT, 0)) {
 		crit_exit();
 		return (EBUSY);
 	}
diff --git a/sys/dev/misc/nmdm/nmdm.c b/sys/dev/misc/nmdm/nmdm.c
index 3cf30c7..be1546d 100644
--- a/sys/dev/misc/nmdm/nmdm.c
+++ b/sys/dev/misc/nmdm/nmdm.c
@@ -44,6 +44,7 @@
 #include <sys/ioctl_compat.h>
 #endif
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/thread2.h>
 #include <sys/tty.h>
 #include <sys/conf.h>
@@ -203,7 +204,7 @@ nmdmopen(struct dev_open_args *ap)
 		tp->t_lflag = TTYDEF_LFLAG;
 		tp->t_cflag = TTYDEF_CFLAG;
 		tp->t_ispeed = tp->t_ospeed = TTYDEF_SPEED;
-	} else if (tp->t_state & TS_XCLUDE && suser_cred(ap->a_cred, 0)) {
+	} else if (tp->t_state & TS_XCLUDE && priv_check_cred(ap->a_cred, PRIV_ROOT, 0)) {
 		return (EBUSY);
 	} else if (pti->pt_prison != ap->a_cred->cr_prison) {
 		return (EBUSY);
diff --git a/sys/dev/misc/spigot/spigot.c b/sys/dev/misc/spigot/spigot.c
index a07feb3..8054827 100644
--- a/sys/dev/misc/spigot/spigot.c
+++ b/sys/dev/misc/spigot/spigot.c
@@ -60,6 +60,7 @@ error "Can only have 1 spigot configured."
 #include	<sys/conf.h>
 #include	<sys/device.h>
 #include	<sys/proc.h>
+#include	<sys/priv.h>
 #include	<sys/signalvar.h>
 #include	<sys/mman.h>
 
@@ -166,7 +167,7 @@ spigot_open(struct dev_open_args *ap)
 	 * require sufficient privilege soon and nothing much can be done
 	 * without them.
 	 */
-	error = suser_cred(ap->a_cred, 0);
+	error = priv_check_cred(ap->a_cred, PRIV_ROOT, 0);
 	if (error != 0)
 		return error;
 	if (securelevel > 0)
@@ -231,7 +232,7 @@ spigot_ioctl(struct dev_ioctl_args *ap)
 		break;
 	case	SPIGOT_IOPL_ON:	/* allow access to the IO PAGE */
 #if !defined(SPIGOT_UNSECURE)
-		error = suser_cred(ap->a_cred, 0);
+		error = priv_check_cred(ap->a_cred, PRIV_ROOT, 0);
 		if (error != 0)
 			return error;
 		if (securelevel > 0)
diff --git a/sys/dev/misc/syscons/syscons.c b/sys/dev/misc/syscons/syscons.c
index 9994b31..ce6f4b8 100644
--- a/sys/dev/misc/syscons/syscons.c
+++ b/sys/dev/misc/syscons/syscons.c
@@ -43,6 +43,7 @@
 #include <sys/reboot.h>
 #include <sys/conf.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/signalvar.h>
 #include <sys/sysctl.h>
 #include <sys/tty.h>
@@ -492,7 +493,7 @@ scopen(struct dev_open_args *ap)
 	(*linesw[tp->t_line].l_modem)(tp, 1);
     }
     else
-	if (tp->t_state & TS_XCLUDE && suser_cred(ap->a_cred, 0))
+	if (tp->t_state & TS_XCLUDE && priv_check_cred(ap->a_cred, PRIV_ROOT, 0))
 	    return(EBUSY);
 
     error = (*linesw[tp->t_line].l_open)(dev, tp);
@@ -1002,7 +1003,7 @@ scioctl(struct dev_ioctl_args *ap)
 	return 0;
 
     case KDENABIO:      	/* allow io operations */
-	error = suser_cred(ap->a_cred, 0);
+	error = priv_check_cred(ap->a_cred, PRIV_ROOT, 0);
 	if (error != 0)
 	    return error;
 	if (securelevel > 0)
diff --git a/sys/dev/misc/syscons/sysmouse.c b/sys/dev/misc/syscons/sysmouse.c
index a51d17c..86e1e40 100644
--- a/sys/dev/misc/syscons/sysmouse.c
+++ b/sys/dev/misc/syscons/sysmouse.c
@@ -33,6 +33,7 @@
 #include <sys/systm.h>
 #include <sys/conf.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/tty.h>
 #include <sys/kernel.h>
 #include <sys/thread2.h>
@@ -97,7 +98,7 @@ smopen(struct dev_open_args *ap)
 		tp->t_ispeed = tp->t_ospeed = TTYDEF_SPEED;
 		smparam(tp, &tp->t_termios);
 		(*linesw[tp->t_line].l_modem)(tp, 1);
-	} else if (tp->t_state & TS_XCLUDE && suser_cred(ap->a_cred, 0)) {
+	} else if (tp->t_state & TS_XCLUDE && priv_check_cred(ap->a_cred, PRIV_ROOT, 0)) {
 		return EBUSY;
 	}
 
diff --git a/sys/dev/netif/an/if_an.c b/sys/dev/netif/an/if_an.c
index 1672e8b..c2ff0bd 100644
--- a/sys/dev/netif/an/if_an.c
+++ b/sys/dev/netif/an/if_an.c
@@ -94,6 +94,7 @@
 #include <sys/mbuf.h>
 #include <sys/kernel.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/ucred.h>
 #include <sys/socket.h>
 #ifdef ANCACHE
@@ -1843,7 +1844,7 @@ an_ioctl(struct ifnet *ifp, u_long command, caddr_t data, struct ucred *cr)
 			break;
 #ifdef ANCACHE
 		if (sc->areq.an_type == AN_RID_ZERO_CACHE) {
-			error = suser_cred(cr, NULL_CRED_OKAY);
+			error = priv_check_cred(cr, PRIV_ROOT, NULL_CRED_OKAY);
 			if (error)
 				break;
 			sc->an_sigitems = sc->an_nextitem = 0;
@@ -1867,7 +1868,7 @@ an_ioctl(struct ifnet *ifp, u_long command, caddr_t data, struct ucred *cr)
 		error = copyout(&sc->areq, ifr->ifr_data, sizeof(sc->areq));
 		break;
 	case SIOCSAIRONET:
-		if ((error = suser_cred(cr, NULL_CRED_OKAY)))
+		if ((error = priv_check_cred(cr, PRIV_ROOT, NULL_CRED_OKAY)))
 			break;
 		error = copyin(ifr->ifr_data, &sc->areq, sizeof(sc->areq));
 		if (error != 0)
@@ -1875,7 +1876,7 @@ an_ioctl(struct ifnet *ifp, u_long command, caddr_t data, struct ucred *cr)
 		an_setdef(sc, &sc->areq);
 		break;
 	case SIOCGPRIVATE_0:              /* used by Cisco client utility */
-		if ((error = suser_cred(cr, NULL_CRED_OKAY)))
+		if ((error = priv_check_cred(cr, PRIV_ROOT, NULL_CRED_OKAY)))
 			break;
 		copyin(ifr->ifr_data, &l_ioctl, sizeof(l_ioctl));
 		mode = l_ioctl.command;
@@ -1895,7 +1896,7 @@ an_ioctl(struct ifnet *ifp, u_long command, caddr_t data, struct ucred *cr)
 
 		break;
 	case SIOCGPRIVATE_1:              /* used by Cisco client utility */
-		if ((error = suser_cred(cr, NULL_CRED_OKAY)))
+		if ((error = priv_check_cred(cr, PRIV_ROOT, NULL_CRED_OKAY)))
 			break;
 		copyin(ifr->ifr_data, &l_ioctl, sizeof(l_ioctl));
 		l_ioctl.command = 0;
@@ -2145,7 +2146,7 @@ an_ioctl(struct ifnet *ifp, u_long command, caddr_t data, struct ucred *cr)
 		}
 		break;
 	case SIOCS80211:
-		if ((error = suser_cred(cr, NULL_CRED_OKAY)))
+		if ((error = priv_check_cred(cr, PRIV_ROOT, NULL_CRED_OKAY)))
 			break;
 		sc->areq.an_len = sizeof(sc->areq);
 		/*
diff --git a/sys/dev/netif/ath/hal/ah_osdep.c b/sys/dev/netif/ath/hal/ah_osdep.c
index d95352d..6a7674a 100644
--- a/sys/dev/netif/ath/hal/ah_osdep.c
+++ b/sys/dev/netif/ath/hal/ah_osdep.c
@@ -46,6 +46,7 @@
 #include <sys/bus.h>
 #include <sys/malloc.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 
 #include <machine/stdarg.h>
 
@@ -203,7 +204,7 @@ ath_hal_setlogging(int enable)
 	int error;
 
 	if (enable) {
-		error = suser(curthread);
+		error = priv_check(curthread, PRIV_ROOT);
 		if (error == 0) {
 			error = alq_open(&ath_hal_alq, ath_hal_logfile,
 				curthread->td_ucred, ALQ_DEFAULT_CMODE,
diff --git a/sys/dev/netif/cx/cx.c b/sys/dev/netif/cx/cx.c
index f2baf09..d58fe22 100644
--- a/sys/dev/netif/cx/cx.c
+++ b/sys/dev/netif/cx/cx.c
@@ -29,6 +29,7 @@
 #include <sys/fcntl.h>
 #include <sys/conf.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/tty.h>
 #include <sys/socket.h>
 #include <sys/thread2.h>
@@ -162,7 +163,7 @@ cxopen (struct dev_open_args *ap)
 	tp = c->ttyp;
 	tp->t_dev = dev;
 	if ((tp->t_state & TS_ISOPEN) && (tp->t_state & TS_XCLUDE) &&
-	    suser_cred(ap->a_cred, 0))
+	    priv_check_cred(ap->a_cred, PRIV_ROOT, 0))
 		return (EBUSY);
 	if (! (tp->t_state & TS_ISOPEN)) {
 		ttychars (tp);
diff --git a/sys/dev/netif/iwi/if_iwi.c b/sys/dev/netif/iwi/if_iwi.c
index 44c1ae0..aee63de 100644
--- a/sys/dev/netif/iwi/if_iwi.c
+++ b/sys/dev/netif/iwi/if_iwi.c
@@ -50,6 +50,7 @@
 #include <sys/module.h>
 #include <sys/endian.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/ucred.h>
 #include <sys/bus.h>
 #include <sys/rman.h>
@@ -1953,7 +1954,7 @@ iwi_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data, struct ucred *cr)
 
 	case SIOCSLOADFW:
 		/* only super-user can do that! */
-		error = suser_cred(cr, NULL_CRED_OKAY);
+		error = priv_check_cred(cr, PRIV_ROOT, NULL_CRED_OKAY);
 		if (error != 0)
 			break;
 
@@ -1963,7 +1964,7 @@ iwi_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data, struct ucred *cr)
 
 	case SIOCSKILLFW:
 		/* only super-user can do that! */
-		error = suser_cred(cr, NULL_CRED_OKAY);
+		error = priv_check_cred(cr, PRIV_ROOT, NULL_CRED_OKAY);
 		if (error != 0)
 			break;
 
diff --git a/sys/dev/netif/ndis/if_ndis.c b/sys/dev/netif/ndis/if_ndis.c
index fd4d04a..a367764 100644
--- a/sys/dev/netif/ndis/if_ndis.c
+++ b/sys/dev/netif/ndis/if_ndis.c
@@ -42,6 +42,7 @@
 #include <sys/socket.h>
 #include <sys/queue.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/sysctl.h>
 #include <sys/bus.h>
 #include <sys/rman.h>
@@ -1939,7 +1940,7 @@ ndis_wi_ioctl_set(struct ifnet *ifp, u_long command, caddr_t data)
 	uint32_t		foo;
 	int			error, len;
 
-	error = suser(curthread);
+	error = priv_check(curthread, PRIV_ROOT);
 	if (error)
 		return (error);
 
diff --git a/sys/dev/netif/sbni/if_sbni.c b/sys/dev/netif/sbni/if_sbni.c
index 862e9f0..21f4f5c 100644
--- a/sys/dev/netif/sbni/if_sbni.c
+++ b/sys/dev/netif/sbni/if_sbni.c
@@ -67,6 +67,7 @@
 #include <sys/mbuf.h>
 #include <sys/kernel.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/callout.h>
 #include <sys/syslog.h>
 #include <sys/random.h>
@@ -1091,7 +1092,7 @@ sbni_ioctl(struct ifnet *ifp, u_long command, caddr_t data, struct ucred *cr)
 
 	case SIOCSHWFLAGS:	/* set flags */
 		/* root only */
-		error = suser_cred(cr, NULL_CRED_OKAY);
+		error = priv_check_cred(cr, PRIV_ROOT, NULL_CRED_OKAY);
 					/* NOTE: returns EPERM if no proc */
 		if (error)
 			break;
@@ -1114,7 +1115,7 @@ sbni_ioctl(struct ifnet *ifp, u_long command, caddr_t data, struct ucred *cr)
 		break;
 
 	case SIOCRINSTATS:
-		if (!(error = suser_cred(cr, NULL_CRED_OKAY)))	/* root only */
+		if (!(error = priv_check_cred(cr, PRIV_ROOT, NULL_CRED_OKAY)))	/* root only */
 			bzero(&sc->in_stats, sizeof(struct sbni_in_stats));
 		break;
 
diff --git a/sys/dev/netif/sbsh/if_sbsh.c b/sys/dev/netif/sbsh/if_sbsh.c
index e26549a..5b3349e 100644
--- a/sys/dev/netif/sbsh/if_sbsh.c
+++ b/sys/dev/netif/sbsh/if_sbsh.c
@@ -34,6 +34,7 @@
 #include <sys/malloc.h>
 #include <sys/kernel.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/socket.h>
 #include <sys/random.h>
 #include <sys/serialize.h>
@@ -398,7 +399,7 @@ sbsh_ioctl(struct ifnet	*ifp, u_long cmd, caddr_t data, struct ucred *cr)
 
 	switch(cmd) {
 	case SIOCLOADFIRMW:
-		if ((error = suser_cred(cr, NULL_CRED_OKAY)) != 0)
+		if ((error = priv_check_cred(cr, PRIV_ROOT, NULL_CRED_OKAY)) != 0)
 			break;
 		if (ifp->if_flags & IFF_UP)
 			error = EBUSY;
@@ -418,7 +419,7 @@ sbsh_ioctl(struct ifnet	*ifp, u_long cmd, caddr_t data, struct ucred *cr)
 		break;
 
 	case  SIOCGETSTATS :
-		if ((error = suser_cred(cr, NULL_CRED_OKAY)) != 0)
+		if ((error = priv_check_cred(cr, PRIV_ROOT, NULL_CRED_OKAY)) != 0)
 			break;
 
 		t = 0;
@@ -452,7 +453,7 @@ sbsh_ioctl(struct ifnet	*ifp, u_long cmd, caddr_t data, struct ucred *cr)
 		break;
 
 	case  SIOCCLRSTATS :
-		if (!(error = suser_cred(cr, NULL_CRED_OKAY))) {
+		if (!(error = priv_check_cred(cr, PRIV_ROOT, NULL_CRED_OKAY))) {
 			bzero(&sc->in_stats, sizeof(struct sbni16_stats));
 			t = 2;
 			if (issue_cx28975_cmd(sc, _DSL_CLEAR_ERROR_CTRS, &t, 1))
diff --git a/sys/dev/netif/wi/if_wi.c b/sys/dev/netif/wi/if_wi.c
index 34a966d..479ea01 100644
--- a/sys/dev/netif/wi/if_wi.c
+++ b/sys/dev/netif/wi/if_wi.c
@@ -75,6 +75,7 @@
 #include <sys/sockio.h>
 #include <sys/mbuf.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/kernel.h>
 #include <sys/socket.h>
 #include <sys/module.h>
@@ -1110,7 +1111,7 @@ wi_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data, struct ucred *cr)
 		error = wi_get_cfg(ifp, cmd, data, cr);
 		break;
 	case SIOCSIFGENERIC:
-		error = suser_cred(cr, NULL_CRED_OKAY);
+		error = priv_check_cred(cr, PRIV_ROOT, NULL_CRED_OKAY);
 		if (error)
 			break;
 		error = wi_set_cfg(ifp, cmd, data);
@@ -1129,7 +1130,7 @@ wi_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data, struct ucred *cr)
 			error = copyout(&wreq, ifr->ifr_data, sizeof(wreq));
 		break;
 	case SIOCSPRISM2DEBUG:
-		if ((error = suser_cred(cr, NULL_CRED_OKAY)))
+		if ((error = priv_check_cred(cr, PRIV_ROOT, NULL_CRED_OKAY)))
 			goto out;
 		error = copyin(ifr->ifr_data, &wreq, sizeof(wreq));
 		if (error)
@@ -1150,7 +1151,7 @@ wi_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data, struct ucred *cr)
 		}
 		break;
 	case SIOCS80211:
-		error = suser_cred(cr, NULL_CRED_OKAY);
+		error = priv_check_cred(cr, PRIV_ROOT, NULL_CRED_OKAY);
 		if (error)
 			break;
 		ireq = (struct ieee80211req *) data;
diff --git a/sys/dev/netif/wl/if_wl.c b/sys/dev/netif/wl/if_wl.c
index 07bdbb4..146f99b 100644
--- a/sys/dev/netif/wl/if_wl.c
+++ b/sys/dev/netif/wl/if_wl.c
@@ -200,6 +200,7 @@ WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 #include <sys/socket.h>
 #include <sys/syslog.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/serialize.h>
 #include <sys/sysctl.h>
 #include <sys/bus.h>
@@ -1341,7 +1342,7 @@ wlioctl(struct ifnet *ifp, u_long cmd, caddr_t data, struct ucred *cred)
 	/* pointer to buffer in user space */
 	up = (void *)ifr->ifr_data;
 	/* work out if they're root */
-	isroot = (suser(td) == 0);
+	isroot = (priv_check(td, PRIV_ROOT) == 0);
 	
 	for (i = 0; i < 0x40; i++) {
 	    /* don't hand the DES key out to non-root users */
@@ -1356,7 +1357,7 @@ wlioctl(struct ifnet *ifp, u_long cmd, caddr_t data, struct ucred *cred)
 	/* copy the PSA in from the caller; we only copy _some_ values */
     case SIOCSWLPSA:
 	/* root only */
-	if ((error = suser(td)))
+	if ((error = priv_check(td, PRIV_ROOT)))
 	    break;
 	error = EINVAL;	/* assume the worst */
 	/* pointer to buffer in user space containing data */
@@ -1410,7 +1411,7 @@ wlioctl(struct ifnet *ifp, u_long cmd, caddr_t data, struct ucred *cred)
 	 */
     case SIOCSWLCNWID:
 	/* root only */
-	if ((error = suser(td)))
+	if ((error = priv_check(td, PRIV_ROOT)))
 	    break;
 	if (!(ifp->if_flags & IFF_UP)) {
 	    error = EIO;	/* only allowed while up */
@@ -1428,7 +1429,7 @@ wlioctl(struct ifnet *ifp, u_long cmd, caddr_t data, struct ucred *cred)
 	/* copy the EEPROM in 2.4 Gz WaveMODEM  out to the caller */
     case SIOCGWLEEPROM:
 	/* root only */
-	if ((error = suser(td)))
+	if ((error = priv_check(td; PRIV_ROOT)))
 	    break;
 	/* pointer to buffer in user space */
 	up = (void *)ifr->ifr_data;
@@ -1451,7 +1452,7 @@ wlioctl(struct ifnet *ifp, u_long cmd, caddr_t data, struct ucred *cred)
 	/* zero (Delete) the wl cache */
     case SIOCDWLCACHE:
 	/* root only */
-	if ((error = suser(td)))
+	if ((error = priv_check(td, PRIV_ROOT)))
 	    break;
 	wl_cache_zero(sc);
 	break;
diff --git a/sys/dev/raid/asr/asr.c b/sys/dev/raid/asr/asr.c
index 627fa26..1edc6d4 100644
--- a/sys/dev/raid/asr/asr.c
+++ b/sys/dev/raid/asr/asr.c
@@ -215,6 +215,7 @@ static dpt_sig_S ASR_sig = {
 #include <sys/systm.h>
 #include <sys/malloc.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/conf.h>
 #include <sys/bus.h>
 #include <sys/rman.h>
@@ -3243,7 +3244,7 @@ asr_open(struct dev_open_args *ap)
 	crit_enter();
         if (ASR_ctlr_held) {
                 error = EBUSY;
-        } else if ((error = suser_cred(ap->a_cred, 0)) == 0) {
+        } else if ((error = priv_check_cred(ap->a_cred, PRIV_ROOT, 0)) == 0) {
                 ++ASR_ctlr_held;
         }
 	crit_exit();
diff --git a/sys/dev/raid/vinum/vinum.c b/sys/dev/raid/vinum/vinum.c
index e3b078f..7a847b3 100644
--- a/sys/dev/raid/vinum/vinum.c
+++ b/sys/dev/raid/vinum/vinum.c
@@ -387,7 +387,7 @@ vinumopen(struct dev_open_args *ap)
 	}
 
     case VINUM_SUPERDEV_TYPE:
-	error = suser_cred(ap->a_cred, 0);		    /* are we root? */
+	error = priv_check_cred(ap->a_cred, PRIV_ROOT, 0);  /* are we root? */
 	if (error == 0) {				    /* yes, can do */
 	    if (devminor == VINUM_DAEMON_DEV)		    /* daemon device */
 		vinum_conf.flags |= VF_DAEMONOPEN;	    /* we're open */
diff --git a/sys/dev/raid/vinum/vinumhdr.h b/sys/dev/raid/vinum/vinumhdr.h
index ffb3d95..673a408 100644
--- a/sys/dev/raid/vinum/vinumhdr.h
+++ b/sys/dev/raid/vinum/vinumhdr.h
@@ -47,6 +47,7 @@
 #include <sys/systm.h>
 #include <sys/kernel.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/conf.h>
 #include <sys/mount.h>
 #include <sys/vnode.h>
diff --git a/sys/dev/serial/cy/cy.c b/sys/dev/serial/cy/cy.c
index 23344b5..0c5fe03 100644
--- a/sys/dev/serial/cy/cy.c
+++ b/sys/dev/serial/cy/cy.c
@@ -72,6 +72,7 @@
 #include <sys/systm.h>
 #include <sys/tty.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/conf.h>
 #include <sys/dkstat.h>
 #include <sys/fcntl.h>
@@ -698,7 +699,7 @@ open_top:
 			}
 		}
 		if (tp->t_state & TS_XCLUDE &&
-		    suser_cred(ap->a_cred, 0)) {
+		    priv_check_cred(ap->a_cred, PRIV_ROOT, 0)) {
 			error = EBUSY;
 			goto out;
 		}
@@ -1576,7 +1577,7 @@ sioioctl(struct dev_ioctl_args *ap)
 		}
 		switch (cmd) {
 		case TIOCSETA:
-			error = suser_cred(ap->a_cred, 0);
+			error = priv_check_cred(ap->a_cred, PRIV_ROOT, 0);
 			if (error != 0)
 				return (error);
 			*ct = *(struct termios *)data;
@@ -1676,7 +1677,7 @@ sioioctl(struct dev_ioctl_args *ap)
 		break;
 	case TIOCMSDTRWAIT:
 		/* must be root since the wait applies to following logins */
-		error = suser_cred(ap->a_cred, 0);
+		error = priv_check_cred(ap->a_cred, PRIV_ROOT, 0);
 		if (error != 0) {
 			crit_exit();
 			return (error);
diff --git a/sys/dev/serial/dgb/dgm.c b/sys/dev/serial/dgb/dgm.c
index bf79dde..6e8ba89 100644
--- a/sys/dev/serial/dgb/dgm.c
+++ b/sys/dev/serial/dgb/dgm.c
@@ -75,6 +75,7 @@
 
 #include <sys/systm.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/conf.h>
 #include <sys/dkstat.h>
 #include <sys/fcntl.h>
@@ -1020,7 +1021,7 @@ open_top:
 			crit_exit();
 			goto open_top;
 		}
-		if (tp->t_state & TS_XCLUDE && suser_cred(ap->a_cred, 0)) {
+		if (tp->t_state & TS_XCLUDE && priv_check_cred(ap->a_cred, PRIV_ROOT, 0)) {
 			error = EBUSY;
 			goto out;
 		}
@@ -1530,7 +1531,7 @@ dgmioctl(struct dev_ioctl_args *ap)
 		}
 		switch (cmd) {
 		case TIOCSETA:
-			error = suser_cred(ap->a_cred, 0);
+			error = priv_check_cred(ap->a_cred, PRIV_ROOT, 0);
 			if (error != 0)
 				return (error);
 			*ct = *(struct termios *)data;
@@ -1753,7 +1754,7 @@ dgmioctl(struct dev_ioctl_args *ap)
 		break;
 	case TIOCMSDTRWAIT:
 		/* must be root since the wait applies to following logins */
-		error = suser_cred(ap->a_cred, 0);
+		error = priv_check_cred(ap->a_cred, PRIV_ROOT, 0);
 		if (error != 0) {
 			crit_exit();
 			return (error);
diff --git a/sys/dev/serial/digi/digi.c b/sys/dev/serial/digi/digi.c
index 3c19b2f..1da319d 100644
--- a/sys/dev/serial/digi/digi.c
+++ b/sys/dev/serial/digi/digi.c
@@ -41,6 +41,7 @@
 #include <sys/param.h>
 #include <sys/systm.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/conf.h>
 #include <sys/linker.h>
 #include <sys/kernel.h>
@@ -788,7 +789,7 @@ open_top:
 			}
 			goto open_top;
 		}
-		if (tp->t_state & TS_XCLUDE && suser_cred(ap->a_cred, 0) != 0) {
+		if (tp->t_state & TS_XCLUDE && priv_check_cred(ap->a_cred, PRIV_ROOT, 0) != 0) {
 			error = EBUSY;
 			goto out;
 		}
@@ -1131,7 +1132,7 @@ digiioctl(struct dev_ioctl_args *ap)
 
 		switch (cmd) {
 		case TIOCSETA:
-			error = suser_cred(ap->a_cred, 0);
+			error = priv_check_cred(ap->a_cred, PRIV_ROOT, 0);
 			if (error != 0)
 				return (error);
 			*ct = *(struct termios *)data;
@@ -1303,7 +1304,7 @@ digiioctl(struct dev_ioctl_args *ap)
 		*(int *)data = digimctl(port, 0, DMGET);
 		break;
 	case TIOCMSDTRWAIT:
-		error = suser_cred(ap->a_cred, 0);
+		error = priv_check_cred(ap->a_cred, PRIV_ROOT, 0);
 		if (error != 0) {
 			crit_exit();
 			return (error);
diff --git a/sys/dev/serial/rc/rc.c b/sys/dev/serial/rc/rc.c
index 341b8fa..4e8623a 100644
--- a/sys/dev/serial/rc/rc.c
+++ b/sys/dev/serial/rc/rc.c
@@ -42,6 +42,7 @@
 #include <sys/systm.h>
 #include <sys/tty.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/conf.h>
 #include <sys/dkstat.h>
 #include <sys/fcntl.h>
@@ -752,7 +753,7 @@ again:
 			}
 		}
 		if (tp->t_state & TS_XCLUDE &&
-		    suser_cred(ap->a_cred, 0)) {
+		    priv_check_cred(ap->a_cred, PRIV_ROOT, 0)) {
 			error = EBUSY;
 			goto out;
 		}
@@ -1100,7 +1101,7 @@ rcioctl(struct dev_ioctl_args *ap)
 		break;
 
 	    case TIOCMSDTRWAIT:
-		error = suser_cred(ap->a_cred, 0);
+		error = priv_check_cred(ap->a_cred, PRIV_ROOT, 0);
 		if (error != 0) {
 			crit_exit();
 			return (error);
diff --git a/sys/dev/serial/rp/rp.c b/sys/dev/serial/rp/rp.c
index c13347c..238bd91 100644
--- a/sys/dev/serial/rp/rp.c
+++ b/sys/dev/serial/rp/rp.c
@@ -43,6 +43,7 @@
 #include <sys/malloc.h>
 #include <sys/tty.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/dkstat.h>
 #include <sys/conf.h>
 #include <sys/kernel.h>
@@ -986,7 +987,7 @@ open_top:
 				goto open_top;
 			}
 		}
-		if(tp->t_state & TS_XCLUDE && suser_cred(ap->a_cred, 0) != 0) {
+		if(tp->t_state & TS_XCLUDE && priv_check_cred(ap->a_cred, PRIV_ROOT, 0) != 0) {
 			crit_exit();
 			error = EBUSY;
 			goto out2;
@@ -1236,7 +1237,7 @@ rpioctl(struct dev_ioctl_args *ap)
 		}
 		switch (cmd) {
 		case TIOCSETA:
-			error = suser_cred(ap->a_cred, 0);
+			error = priv_check_cred(ap->a_cred, PRIV_ROOT, 0);
 			if(error != 0)
 				return(error);
 			*ct = *(struct termios *)data;
@@ -1382,7 +1383,7 @@ rpioctl(struct dev_ioctl_args *ap)
 		*(int *)data = result;
 		break;
 	case TIOCMSDTRWAIT:
-		error = suser_cred(ap->a_cred, 0);
+		error = priv_check_cred(ap->a_cred, PRIV_ROOT, 0);
 		if(error != 0) {
 			crit_exit();
 			return(error);
diff --git a/sys/dev/serial/si/si.c b/sys/dev/serial/si/si.c
index 960d317..3a19c35 100644
--- a/sys/dev/serial/si/si.c
+++ b/sys/dev/serial/si/si.c
@@ -50,6 +50,7 @@ static const char si_copyright1[] =  "@(#) Copyright (C) Specialix International
 #endif
 #include <sys/tty.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/conf.h>
 #include <sys/fcntl.h>
 #include <sys/dkstat.h>
@@ -628,7 +629,7 @@ siopen(struct dev_open_args *ap)
 
 	/* quickly let in /dev/si_control */
 	if (IS_CONTROLDEV(mynor)) {
-		if ((error = suser_cred(ap->a_cred, 0)))
+		if ((error = priv_check_cred(ap->a_cred, PRIV_ROOT, 0)))
 			return(error);
 		return(0);
 	}
@@ -707,7 +708,7 @@ open_top:
 			}
 		}
 		if (tp->t_state & TS_XCLUDE &&
-		    suser_cred(ap->a_cred, 0)) {
+		    priv_check_cred(ap->a_cred, PRIV_ROOT, 0)) {
 			DPRINT((pp, DBG_OPEN|DBG_FAIL,
 				"already open and EXCLUSIVE set\n"));
 			error = EBUSY;
@@ -973,7 +974,7 @@ siioctl(struct dev_ioctl_args *ap)
 		}
 		switch (cmd) {
 		case TIOCSETA:
-			error = suser_cred(ap->a_cred, 0);
+			error = priv_check_cred(ap->a_cred, PRIV_ROOT, 0);
 			if (error != 0)
 				return (error);
 			*ct = *(struct termios *)data;
@@ -1087,7 +1088,7 @@ siioctl(struct dev_ioctl_args *ap)
 		break;
 	case TIOCMSDTRWAIT:
 		/* must be root since the wait applies to following logins */
-		error = suser_cred(ap->a_cred, 0);
+		error = priv_check_cred(ap->a_cred, PRIV_ROOT, 0);
 		if (error == 0)
 			pp->sp_dtr_wait = *(int *)data * hz / 100;
 		break;
@@ -1139,7 +1140,7 @@ si_Sioctl(cdev_t dev, u_long cmd, caddr_t data, int flag, struct ucred *cred)
 
 	ip = (int *)data;
 
-#define SUCHECK if ((error = suser_cred(cred, 0))) goto out
+#define SUCHECK if ((error = priv_check_cred(cred, PRIV_ROOT, 0))) goto out
 
 	switch (cmd) {
 	case TCSIPORTS:
diff --git a/sys/dev/serial/sio/sio.c b/sys/dev/serial/sio/sio.c
index 4ed61ec..441e792 100644
--- a/sys/dev/serial/sio/sio.c
+++ b/sys/dev/serial/sio/sio.c
@@ -61,6 +61,7 @@
 #include <sys/malloc.h>
 #include <sys/tty.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/module.h>
 #include <sys/conf.h>
 #include <sys/dkstat.h>
@@ -1285,7 +1286,7 @@ open_top:
 				goto open_top;
 			}
 		}
-		if (tp->t_state & TS_XCLUDE && suser_cred(ap->a_cred, 0)) {
+		if (tp->t_state & TS_XCLUDE && priv_check_cred(ap->a_cred, PRIV_ROOT, 0)) {
 			error = EBUSY;
 			goto out;
 		}
@@ -1979,7 +1980,7 @@ sioioctl(struct dev_ioctl_args *ap)
 		}
 		switch (ap->a_cmd) {
 		case TIOCSETA:
-			error = suser_cred(ap->a_cred, 0);
+			error = priv_check_cred(ap->a_cred, PRIV_ROOT, 0);
 			if (error != 0)
 				return (error);
 			*ct = *(struct termios *)data;
@@ -2071,7 +2072,7 @@ sioioctl(struct dev_ioctl_args *ap)
 		break;
 	case TIOCMSDTRWAIT:
 		/* must be root since the wait applies to following logins */
-		error = suser_cred(ap->a_cred, 0);
+		error = priv_check_cred(ap->a_cred, PRIV_ROOT, 0);
 		if (error != 0) {
 			crit_exit();
 			return (error);
diff --git a/sys/dev/serial/stl/stallion.c b/sys/dev/serial/stl/stallion.c
index dfc2d22..71a2da0 100644
--- a/sys/dev/serial/stl/stallion.c
+++ b/sys/dev/serial/stl/stallion.c
@@ -50,6 +50,7 @@
 #include <sys/malloc.h>
 #include <sys/tty.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/conf.h>
 #include <sys/fcntl.h>
 #include <sys/thread2.h>
@@ -1214,7 +1215,7 @@ stlopen_restart:
 				goto stlopen_restart;
 			}
 		}
-		if ((tp->t_state & TS_XCLUDE) && suser_cred(ap->a_cred, 0)) {
+		if ((tp->t_state & TS_XCLUDE) && priv_check_cred(ap->a_cred, PRIV_ROOT, 0)) {
 			error = EBUSY;
 			goto stlopen_end;
 		}
@@ -1356,7 +1357,7 @@ STATIC int stlioctl(struct dev_ioctl_args *ap)
 
 		switch (cmd) {
 		case TIOCSETA:
-			if ((error = suser_cred(ap->a_cred, 0)) == 0)
+			if ((error = priv_check_cred(ap->a_cred, PRIV_ROOT, 0)) == 0)
 				*localtios = *((struct termios *) data);
 			break;
 		case TIOCGETA:
@@ -1475,7 +1476,7 @@ STATIC int stlioctl(struct dev_ioctl_args *ap)
 		*((int *) data) = (stl_getsignals(portp) | TIOCM_LE);
 		break;
 	case TIOCMSDTRWAIT:
-		if ((error = suser_cred(ap->a_cred, 0)) == 0)
+		if ((error = priv_check_cred(ap->a_cred, PRIV_ROOT, 0)) == 0)
 			portp->dtrwait = *((int *) data) * hz / 100;
 		break;
 	case TIOCMGDTRWAIT:
diff --git a/sys/dev/serial/stli/istallion.c b/sys/dev/serial/stli/istallion.c
index 64bc656..233b906 100644
--- a/sys/dev/serial/stli/istallion.c
+++ b/sys/dev/serial/stli/istallion.c
@@ -49,6 +49,7 @@
 #include <sys/malloc.h>
 #include <sys/tty.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/conf.h>
 #include <sys/fcntl.h>
 #include <sys/uio.h>
@@ -942,7 +943,7 @@ stliopen_restart:
 			}
 		}
 		if ((tp->t_state & TS_XCLUDE) &&
-		    suser_cred(ap->a_cred, 0)) {
+		    priv_check_cred(ap->a_cred, PRIV_ROOT, 0)) {
 			error = EBUSY;
 			goto stliopen_end;
 		}
@@ -1132,7 +1133,7 @@ STATIC int stliioctl(struct dev_ioctl_args *ap)
 
 		switch (cmd) {
 		case TIOCSETA:
-			if ((error = suser_cred(ap->a_cred, 0)) == 0)
+			if ((error = priv_check_cred(ap->a_cred, PRIV_ROOT, 0)) == 0)
 				*localtios = *((struct termios *) data);
 			break;
 		case TIOCGETA:
@@ -1269,7 +1270,7 @@ STATIC int stliioctl(struct dev_ioctl_args *ap)
 		*((int *) data) = (portp->sigs | TIOCM_LE);
 		break;
 	case TIOCMSDTRWAIT:
-		if ((error = suser_cred(ap->a_cred, 0)) == 0)
+		if ((error = priv_check_cred(ap->a_cred, PRIV_ROOT, 0)) == 0)
 			portp->dtrwait = *((int *) data) * hz / 100;
 		break;
 	case TIOCMGDTRWAIT:
diff --git a/sys/dev/usbmisc/ucom/ucom.c b/sys/dev/usbmisc/ucom/ucom.c
index 8ac4856..3016b1f 100644
--- a/sys/dev/usbmisc/ucom/ucom.c
+++ b/sys/dev/usbmisc/ucom/ucom.c
@@ -80,6 +80,7 @@
 #include <sys/file.h>
 #include <sys/select.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/poll.h>
 #include <sys/sysctl.h>
 #include <sys/thread2.h>
@@ -264,7 +265,7 @@ ucomopen(struct dev_open_args *ap)
 
 	if (ISSET(tp->t_state, TS_ISOPEN) &&
 	    ISSET(tp->t_state, TS_XCLUDE) &&
-	    suser_cred(ap->a_cred, 0)
+	    priv_check_cred(ap->a_cred, PRIV_ROOT, 0)
 	) {
 		return (EBUSY);
 	}
diff --git a/sys/emulation/43bsd/43bsd_hostinfo.c b/sys/emulation/43bsd/43bsd_hostinfo.c
index bb72015..21bedfd 100644
--- a/sys/emulation/43bsd/43bsd_hostinfo.c
+++ b/sys/emulation/43bsd/43bsd_hostinfo.c
@@ -46,6 +46,7 @@
 #include <sys/sysproto.h>
 #include <sys/kernel.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/socket.h>
 #include <sys/sysctl.h>
 #include <vm/vm_param.h>
@@ -84,7 +85,7 @@ sys_osethostname(struct sethostname_args *uap)
 	KKASSERT(p);
 	name[0] = CTL_KERN;
 	name[1] = KERN_HOSTNAME;
-	error = suser_cred(p->p_ucred, PRISON_ROOT);
+	error = priv_check_cred(p->p_ucred, PRIV_ROOT, PRISON_ROOT);
 	if (error)
 		return (error);
 	len = MIN(uap->len, MAXHOSTNAMELEN);
@@ -115,7 +116,7 @@ sys_osethostid(struct osethostid_args *uap)
 	struct thread *td = curthread;
 	int error;
 
-	error = suser(td);
+	error = priv_check(td, PRIV_ROOT);
 	if (error)
 		return (error);
 	hostid = uap->hostid;
diff --git a/sys/emulation/dragonfly12/dfbsd12_stat.c b/sys/emulation/dragonfly12/dfbsd12_stat.c
index ffbeae7..c8daa1e 100644
--- a/sys/emulation/dragonfly12/dfbsd12_stat.c
+++ b/sys/emulation/dragonfly12/dfbsd12_stat.c
@@ -41,6 +41,7 @@
 #include <sys/mount.h>
 #include <sys/nlookup.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/stat.h>
 #include <sys/sysproto.h>
 #include <sys/systm.h>
@@ -137,7 +138,7 @@ sys_dfbsd12_fhstat(struct dfbsd12_fhstat_args *uap)
 	/*
 	 * Must be super user
 	 */
-	error = suser(td);
+	error = priv_check(td, PRIV_ROOT);
 	if (error)
 		return (error);
 	
diff --git a/sys/emulation/linux/i386/linprocfs/linprocfs_vnops.c b/sys/emulation/linux/i386/linprocfs/linprocfs_vnops.c
index 372e84c..14bc703 100644
--- a/sys/emulation/linux/i386/linprocfs/linprocfs_vnops.c
+++ b/sys/emulation/linux/i386/linprocfs/linprocfs_vnops.c
@@ -53,6 +53,7 @@
 #include <sys/lock.h>
 #include <sys/fcntl.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/signalvar.h>
 #include <sys/vnode.h>
 #include <sys/mount.h>
@@ -263,7 +264,7 @@ linprocfs_ioctl(struct vop_ioctl_args *ap)
 	   */
 #define NFLAGS	(PF_ISUGID)
 	  flags = (unsigned char)*(unsigned int*)ap->a_data;
-	  if (flags & NFLAGS && (error = suser_cred(ap->a_cred, 0)))
+	  if (flags & NFLAGS && (error = priv_check_cred(ap->a_cred, PRIV_ROOT, 0)))
 	    return error;
 	  procp->p_pfsflags = flags;
 	  break;
diff --git a/sys/emulation/linux/i386/linux_machdep.c b/sys/emulation/linux/i386/linux_machdep.c
index b23d9d2..894c537 100644
--- a/sys/emulation/linux/i386/linux_machdep.c
+++ b/sys/emulation/linux/i386/linux_machdep.c
@@ -37,6 +37,7 @@
 #include <sys/mman.h>
 #include <sys/nlookup.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/resource.h>
 #include <sys/resourcevar.h>
 #include <sys/sysproto.h>
@@ -677,7 +678,7 @@ sys_linux_iopl(struct linux_iopl_args *args)
 
 	if (args->level < 0 || args->level > 3)
 		return (EINVAL);
-	if ((error = suser(td)) != 0)
+	if ((error = priv_check(td, PRIV_ROOT)) != 0)
 		return (error);
 	if (securelevel > 0)
 		return (EPERM);
diff --git a/sys/emulation/linux/linux_misc.c b/sys/emulation/linux/linux_misc.c
index 4e8ae14..a9c7960 100644
--- a/sys/emulation/linux/linux_misc.c
+++ b/sys/emulation/linux/linux_misc.c
@@ -42,6 +42,7 @@
 #include <sys/mount.h>
 #include <sys/poll.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/nlookup.h>
 #include <sys/blist.h>
 #include <sys/reboot.h>
@@ -975,7 +976,7 @@ sys_linux_setgroups(struct linux_setgroups_args *args)
 	 * Keep cr_groups[0] unchanged to prevent that.
 	 */
 
-	if ((error = suser_cred(oldcred, PRISON_ROOT)) != 0)
+	if ((error = priv_check_cred(oldcred, PRIV_ROOT, PRISON_ROOT)) != 0)
 		return (error);
 
 	if (ngrp >= NGROUPS)
diff --git a/sys/emulation/linux/linux_uid16.c b/sys/emulation/linux/linux_uid16.c
index 6cba97c..f476cf6 100644
--- a/sys/emulation/linux/linux_uid16.c
+++ b/sys/emulation/linux/linux_uid16.c
@@ -34,6 +34,7 @@
 #include <sys/kern_syscall.h>
 #include <sys/nlookup.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/sysproto.h>
 #include <sys/thread.h>
 
@@ -121,7 +122,7 @@ sys_linux_setgroups16(struct linux_setgroups16_args *args)
 	 * Keep cr_groups[0] unchanged to prevent that.
 	 */
 
-	if ((error = suser_cred(oldcred, PRISON_ROOT)) != 0)
+	if ((error = priv_check_cred(oldcred, PRIV_ROOT, PRISON_ROOT)) != 0)
 		return (error);
 
 	if (ngrp >= NGROUPS)
diff --git a/sys/kern/imgact_resident.c b/sys/kern/imgact_resident.c
index 72128a1..0107c55 100644
--- a/sys/kern/imgact_resident.c
+++ b/sys/kern/imgact_resident.c
@@ -43,6 +43,7 @@
 #include <sys/imgact_aout.h>
 #include <sys/mman.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/resourcevar.h>
 #include <sys/sysent.h>
 #include <sys/systm.h>
@@ -132,7 +133,7 @@ sysctl_vm_resident(SYSCTL_HANDLER_ARGS)
 
 	/* only super-user should call this sysctl */
 	td = req->td;
-	if ((suser(td)) != 0)
+	if ((priv_check(td, PRIV_ROOT)) != 0)
 		return EPERM;
 
 	error = count = 0;
@@ -197,7 +198,7 @@ sys_exec_sys_register(struct exec_sys_register_args *uap)
     int error;
 
     p = curproc;
-    if ((error = suser_cred(p->p_ucred, 0)) != 0)
+    if ((error = priv_check_cred(p->p_ucred, PRIV_ROOT, 0)) != 0)
 	return(error);
     if ((vp = p->p_textvp) == NULL)
 	return(ENOENT);
@@ -236,7 +237,7 @@ sys_exec_sys_unregister(struct exec_sys_unregister_args *uap)
     int count;
 
     p = curproc;
-    if ((error = suser_cred(p->p_ucred, 0)) != 0)
+    if ((error = priv_check_cred(p->p_ucred, PRIV_ROOT, 0)) != 0)
 	return(error);
 
     /*
diff --git a/sys/kern/kern_acct.c b/sys/kern/kern_acct.c
index 4856779..2c63d26 100644
--- a/sys/kern/kern_acct.c
+++ b/sys/kern/kern_acct.c
@@ -45,6 +45,7 @@
 #include <sys/systm.h>
 #include <sys/sysproto.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/mount.h>
 #include <sys/vnode.h>
 #include <sys/fcntl.h>
@@ -127,7 +128,7 @@ sys_acct(struct acct_args *uap)
 	int error;
 
 	/* Make sure that the caller is root. */
-	error = suser(td);
+	error = priv_check(td, PRIV_ROOT);
 	if (error)
 		return (error);
 
diff --git a/sys/kern/kern_exec.c b/sys/kern/kern_exec.c
index ba3beef..1212eef 100644
--- a/sys/kern/kern_exec.c
+++ b/sys/kern/kern_exec.c
@@ -42,6 +42,7 @@
 #include <sys/wait.h>
 #include <sys/malloc.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/ktrace.h>
 #include <sys/signalvar.h>
 #include <sys/pioctl.h>
@@ -398,7 +399,7 @@ interpret:
 		 * we do not regain any tracing during a possible block.
 		 */
 		setsugid();
-		if (p->p_tracenode && suser(td) != 0) {
+		if (p->p_tracenode && priv_check(td, PRIV_ROOT) != 0) {
 			ktrdestroy(&p->p_tracenode);
 			p->p_traceflag = 0;
 		}
diff --git a/sys/kern/kern_fp.c b/sys/kern/kern_fp.c
index 980b6e9..564c6e6 100644
--- a/sys/kern/kern_fp.c
+++ b/sys/kern/kern_fp.c
@@ -54,6 +54,7 @@
 #include <sys/sysctl.h>
 #include <sys/vnode.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/nlookup.h>
 #include <sys/file.h>
 #include <sys/stat.h>
@@ -511,7 +512,7 @@ fp_mmap(void *addr_arg, size_t size, int prot, int flags, struct file *fp,
 	if (securelevel >= 1)
 	    disablexworkaround = 1;
 	else
-	    disablexworkaround = suser(td);
+	    disablexworkaround = priv_check(td, PRIV_ROOT);
 	if (vp->v_type == VCHR && disablexworkaround &&
 	    (flags & (MAP_PRIVATE|MAP_COPY))) {
 		error = EINVAL;
diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c
index 749820f..acd7022 100644
--- a/sys/kern/kern_jail.c
+++ b/sys/kern/kern_jail.c
@@ -51,6 +51,7 @@
 #include <sys/nlookup.h>
 #include <sys/namecache.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/jail.h>
 #include <sys/socket.h>
 #include <sys/sysctl.h>
@@ -142,7 +143,7 @@ sys_jail(struct jail_args *uap)
 	struct jail_ip_storage *jip;
 	/* Multiip */
 
-	error = suser(td);
+	error = priv_check(td, PRIV_ROOT);
 	if (error) {
 		uap->sysmsg_result = -1;
 		return(error);
@@ -256,7 +257,7 @@ sys_jail_attach(struct jail_attach_args *uap)
 	struct thread *td = curthread;
 	int error;
 
-	error = suser(td);
+	error = priv_check(td, PRIV_ROOT);
 	if (error)
 		return(error);
 
diff --git a/sys/kern/kern_linker.c b/sys/kern/kern_linker.c
index aabe8ad..b778ee8 100644
--- a/sys/kern/kern_linker.c
+++ b/sys/kern/kern_linker.c
@@ -36,6 +36,7 @@
 #include <sys/sysproto.h>
 #include <sys/sysent.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/lock.h>
 #include <sys/module.h>
 #include <sys/queue.h>
@@ -701,7 +702,7 @@ sys_kldload(struct kldload_args *uap)
     if (securelevel > 0 || kernel_mem_readonly)	/* redundant, but that's OK */
 	return EPERM;
 
-    if ((error = suser(td)) != 0)
+    if ((error = priv_check(td, PRIV_ROOT)) != 0)
 	return error;
 
     filename = kmalloc(MAXPATHLEN, M_TEMP, M_WAITOK);
@@ -741,7 +742,7 @@ sys_kldunload(struct kldunload_args *uap)
     if (securelevel > 0 || kernel_mem_readonly)	/* redundant, but that's OK */
 	return EPERM;
 
-    if ((error = suser(td)) != 0)
+    if ((error = priv_check(td, PRIV_ROOT)) != 0)
 	return error;
 
     lf = linker_find_file_by_id(uap->fileid);
diff --git a/sys/kern/kern_memio.c b/sys/kern/kern_memio.c
index d407cc5..14788ee 100644
--- a/sys/kern/kern_memio.c
+++ b/sys/kern/kern_memio.c
@@ -57,6 +57,7 @@
 #include <sys/malloc.h>
 #include <sys/memrange.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/random.h>
 #include <sys/signalvar.h>
 #include <sys/signal2.h>
@@ -114,7 +115,7 @@ mmopen(struct dev_open_args *ap)
 		error = 0;
 		break;
 	case 14:
-		error = suser_cred(ap->a_cred, 0);
+		error = priv_check_cred(ap->a_cred, PRIV_ROOT, 0);
 		if (error != 0)
 			break;
 		if (securelevel > 0 || kernel_mem_readonly) {
@@ -491,7 +492,7 @@ random_ioctl(cdev_t dev, u_long cmd, caddr_t data, int flags, struct ucred *cred
 		break;
 	case MEM_SETIRQ:
 		intr = *(int16_t *)data;
-		if ((error = suser_cred(cred, 0)) != 0)
+		if ((error = priv_check_cred(cred, PRIV_ROOT, 0)) != 0)
 			break;
 		if (intr < 0 || intr >= MAX_INTS)
 			return (EINVAL);
@@ -499,7 +500,7 @@ random_ioctl(cdev_t dev, u_long cmd, caddr_t data, int flags, struct ucred *cred
 		break;
 	case MEM_CLEARIRQ:
 		intr = *(int16_t *)data;
-		if ((error = suser_cred(cred, 0)) != 0)
+		if ((error = priv_check_cred(cred, PRIV_ROOT, 0)) != 0)
 			break;
 		if (intr < 0 || intr >= MAX_INTS)
 			return (EINVAL);
@@ -510,7 +511,7 @@ random_ioctl(cdev_t dev, u_long cmd, caddr_t data, int flags, struct ucred *cred
 		break;
 	case MEM_FINDIRQ:
 		intr = *(int16_t *)data;
-		if ((error = suser_cred(cred, 0)) != 0)
+		if ((error = priv_check_cred(cred, PRIV_ROOT, 0)) != 0)
 			break;
 		if (intr < 0 || intr >= MAX_INTS)
 			return (EINVAL);
diff --git a/sys/kern/kern_ntptime.c b/sys/kern/kern_ntptime.c
index 90acb9d..63caddc 100644
--- a/sys/kern/kern_ntptime.c
+++ b/sys/kern/kern_ntptime.c
@@ -39,6 +39,7 @@
 #include <sys/sysproto.h>
 #include <sys/kernel.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/time.h>
 #include <sys/timex.h>
 #include <sys/timepps.h>
@@ -289,7 +290,7 @@ sys_ntp_adjtime(struct ntp_adjtime_args *uap)
 	 */
 	modes = ntv.modes;
 	if (modes)
-		error = suser(td);
+		error = priv_check(td, PRIV_ROOT);
 	if (error)
 		return (error);
 	crit_enter();
diff --git a/sys/kern/kern_plimit.c b/sys/kern/kern_plimit.c
index a1d7307..4a788af 100644
--- a/sys/kern/kern_plimit.c
+++ b/sys/kern/kern_plimit.c
@@ -72,6 +72,7 @@
 #include <sys/resource.h>
 #include <sys/spinlock.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/file.h>
 #include <sys/lockf.h>
 #include <sys/kern_syscall.h>
@@ -346,7 +347,7 @@ kern_setrlimit(u_int which, struct rlimit *limp)
         if (limp->rlim_cur > alimp->rlim_max ||
             limp->rlim_max > alimp->rlim_max) {
 		spin_unlock_rd(&limit->p_spin);
-                if ((error = suser_cred(p->p_ucred, PRISON_ROOT)))
+                if ((error = priv_check_cred(p->p_ucred, PRIV_ROOT, PRISON_ROOT)))
                         return (error);
 	} else {
 		spin_unlock_rd(&limit->p_spin);
diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c
index bcf03ff..68df28e 100644
--- a/sys/kern/kern_prot.c
+++ b/sys/kern/kern_prot.c
@@ -352,7 +352,7 @@ sys_setuid(struct setuid_args *uap)
 #ifdef POSIX_APPENDIX_B_4_2_2	/* Use BSD-compat clause from B.4.2.2 */
 	    uid != cr->cr_uid &&	/* allow setuid(geteuid()) */
 #endif
-	    (error = suser_cred(cr, PRISON_ROOT)))
+	    (error = priv_check_cred(cr, PRIV_ROOT, PRISON_ROOT)))
 		return (error);
 
 #ifdef _POSIX_SAVED_IDS
@@ -364,7 +364,7 @@ sys_setuid(struct setuid_args *uap)
 #ifdef POSIX_APPENDIX_B_4_2_2	/* Use the clause from B.4.2.2 */
 	    uid == cr->cr_uid ||
 #endif
-	    suser_cred(cr, PRISON_ROOT) == 0) /* we are using privs */
+	    priv_check_cred(cr, PRIV_ROOT, PRISON_ROOT) == 0) /* we are using privs */
 #endif
 	{
 		/*
@@ -415,7 +415,7 @@ sys_seteuid(struct seteuid_args *uap)
 	euid = uap->euid;
 	if (euid != cr->cr_ruid &&		/* allow seteuid(getuid()) */
 	    euid != cr->cr_svuid &&		/* allow seteuid(saved uid) */
-	    (error = suser_cred(cr, PRISON_ROOT)))
+	    (error = priv_check_cred(cr, PRIV_ROOT, PRISON_ROOT)))
 		return (error);
 	/*
 	 * Everything's okay, do it.  Copy credentials so other references do
@@ -460,7 +460,7 @@ sys_setgid(struct setgid_args *uap)
 #ifdef POSIX_APPENDIX_B_4_2_2	/* Use BSD-compat clause from B.4.2.2 */
 	    gid != cr->cr_groups[0] && /* allow setgid(getegid()) */
 #endif
-	    (error = suser_cred(cr, PRISON_ROOT)))
+	    (error = priv_check_cred(cr, PRIV_ROOT, PRISON_ROOT)))
 		return (error);
 
 #ifdef _POSIX_SAVED_IDS
@@ -472,7 +472,7 @@ sys_setgid(struct setgid_args *uap)
 #ifdef POSIX_APPENDIX_B_4_2_2	/* use the clause from B.4.2.2 */
 	    gid == cr->cr_groups[0] ||
 #endif
-	    suser_cred(cr, PRISON_ROOT) == 0) /* we are using privs */
+	    priv_check_cred(cr, PRIV_ROOT, PRISON_ROOT) == 0) /* we are using privs */
 #endif
 	{
 		/*
@@ -524,7 +524,7 @@ sys_setegid(struct setegid_args *uap)
 	egid = uap->egid;
 	if (egid != cr->cr_rgid &&		/* allow setegid(getgid()) */
 	    egid != cr->cr_svgid &&		/* allow setegid(saved gid) */
-	    (error = suser_cred(cr, PRISON_ROOT)))
+	    (error = priv_check_cred(cr, PRIV_ROOT, PRISON_ROOT)))
 		return (error);
 	if (cr->cr_groups[0] != egid) {
 		cr = cratom(&p->p_ucred);
@@ -547,7 +547,7 @@ sys_setgroups(struct setgroups_args *uap)
 		return(EPERM);
 	cr = p->p_ucred;
 
-	if ((error = suser_cred(cr, PRISON_ROOT)))
+	if ((error = priv_check_cred(cr, PRIV_ROOT, PRISON_ROOT)))
 		return (error);
 	ngrp = uap->gidsetsize;
 	if (ngrp > NGROUPS)
@@ -593,7 +593,7 @@ sys_setreuid(struct setreuid_args *uap)
 	if (((ruid != (uid_t)-1 && ruid != cr->cr_ruid && ruid != cr->cr_svuid) ||
 	     (euid != (uid_t)-1 && euid != cr->cr_uid &&
 	     euid != cr->cr_ruid && euid != cr->cr_svuid)) &&
-	    (error = suser_cred(cr, PRISON_ROOT)) != 0)
+	    (error = priv_check_cred(cr, PRIV_ROOT, PRISON_ROOT)) != 0)
 		return (error);
 
 	if (euid != (uid_t)-1 && cr->cr_uid != euid) {
@@ -631,7 +631,7 @@ sys_setregid(struct setregid_args *uap)
 	if (((rgid != (gid_t)-1 && rgid != cr->cr_rgid && rgid != cr->cr_svgid) ||
 	     (egid != (gid_t)-1 && egid != cr->cr_groups[0] &&
 	     egid != cr->cr_rgid && egid != cr->cr_svgid)) &&
-	    (error = suser_cred(cr, PRISON_ROOT)) != 0)
+	    (error = priv_check_cred(cr, PRIV_ROOT, PRISON_ROOT)) != 0)
 		return (error);
 
 	if (egid != (gid_t)-1 && cr->cr_groups[0] != egid) {
@@ -677,7 +677,7 @@ sys_setresuid(struct setresuid_args *uap)
 	      euid != cr->cr_uid) ||
 	     (suid != (uid_t)-1 && suid != cr->cr_ruid && suid != cr->cr_svuid &&
 	      suid != cr->cr_uid)) &&
-	    (error = suser_cred(cr, PRISON_ROOT)) != 0)
+	    (error = priv_check_cred(cr, PRIV_ROOT, PRISON_ROOT)) != 0)
 		return (error);
 	if (euid != (uid_t)-1 && cr->cr_uid != euid) {
 		cr = change_euid(euid);
@@ -719,7 +719,7 @@ sys_setresgid(struct setresgid_args *uap)
 	      egid != cr->cr_groups[0]) ||
 	     (sgid != (gid_t)-1 && sgid != cr->cr_rgid && sgid != cr->cr_svgid &&
 	      sgid != cr->cr_groups[0])) &&
-	    (error = suser_cred(cr, PRISON_ROOT)) != 0)
+	    (error = priv_check_cred(cr, PRIV_ROOT, PRISON_ROOT)) != 0)
 		return (error);
 
 	if (egid != (gid_t)-1 && cr->cr_groups[0] != egid) {
@@ -900,7 +900,7 @@ p_trespass(struct ucred *cr1, struct ucred *cr2)
 		return (0);
 	if (cr1->cr_uid == cr2->cr_uid)
 		return (0);
-	if (suser_cred(cr1, PRISON_ROOT) == 0)
+	if (priv_check_cred(cr1, PRIV_ROOT, PRISON_ROOT) == 0)
 		return (0);
 	return (EPERM);
 }
@@ -1118,7 +1118,7 @@ sys_setlogin(struct setlogin_args *uap)
 	char logintmp[MAXLOGNAME];
 
 	KKASSERT(p != NULL);
-	if ((error = suser_cred(p->p_ucred, PRISON_ROOT)))
+	if ((error = priv_check_cred(p->p_ucred, PRIV_ROOT, PRISON_ROOT)))
 		return (error);
 	error = copyinstr((caddr_t) uap->namebuf, (caddr_t) logintmp,
 	    sizeof(logintmp), (size_t *)0);
diff --git a/sys/kern/kern_resource.c b/sys/kern/kern_resource.c
index 2e07429..92a7e5f 100644
--- a/sys/kern/kern_resource.c
+++ b/sys/kern/kern_resource.c
@@ -51,6 +51,7 @@
 #include <sys/resourcevar.h>
 #include <sys/malloc.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/time.h>
 #include <sys/lockf.h>
 
@@ -253,7 +254,7 @@ donice(struct proc *chgp, int n)
 		n = PRIO_MAX;
 	if (n < PRIO_MIN)
 		n = PRIO_MIN;
-	if (n < chgp->p_nice && suser_cred(cr, 0))
+	if (n < chgp->p_nice && priv_check_cred(cr, PRIV_ROOT, 0))
 		return (EACCES);
 	chgp->p_nice = n;
 	FOREACH_LWP_IN_PROC(lp, chgp)
@@ -311,7 +312,7 @@ sys_lwp_rtprio(struct lwp_rtprio_args *uap)
 			return EPERM;
 		}
 		/* disallow setting rtprio in most cases if not superuser */
-		if (suser_cred(cr, 0)) {
+		if (priv_check_cred(cr, PRIV_ROOT, 0)) {
 			/* can't set someone else's */
 			if (uap->pid) { /* XXX */
 				return EPERM;
@@ -385,7 +386,7 @@ sys_rtprio(struct rtprio_args *uap)
 		    cr->cr_ruid != p->p_ucred->cr_uid)
 		        return (EPERM);
 		/* disallow setting rtprio in most cases if not superuser */
-		if (suser_cred(cr, 0)) {
+		if (priv_check_cred(cr, PRIV_ROOT, 0)) {
 			/* can't set someone else's */
 			if (uap->pid)
 				return (EPERM);
diff --git a/sys/kern/kern_shutdown.c b/sys/kern/kern_shutdown.c
index 369739e..015c8e1 100644
--- a/sys/kern/kern_shutdown.c
+++ b/sys/kern/kern_shutdown.c
@@ -53,6 +53,7 @@
 #include <sys/diskslice.h>
 #include <sys/reboot.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/fcntl.h>		/* FREAD	*/
 #include <sys/stat.h>		/* S_IFCHR	*/
 #include <sys/vnode.h>
@@ -186,7 +187,7 @@ sys_reboot(struct reboot_args *uap)
 	struct thread *td = curthread;
 	int error;
 
-	if ((error = suser(td)))
+	if ((error = priv_check(td, PRIV_ROOT)))
 		return (error);
 
 	boot(uap->opt);
diff --git a/sys/kern/kern_spinlock.c b/sys/kern/kern_spinlock.c
index 32a358c..d1f31b8 100644
--- a/sys/kern/kern_spinlock.c
+++ b/sys/kern/kern_spinlock.c
@@ -42,6 +42,7 @@
 #ifdef INVARIANTS
 #include <sys/proc.h>
 #endif
+#include <sys/priv.h>
 #include <ddb/ddb.h>
 #include <machine/atomic.h>
 #include <machine/cpufunc.h>
@@ -347,7 +348,7 @@ sysctl_spin_lock_test(SYSCTL_HANDLER_ARGS)
 	int value = 0;
 	int i;
 
-	if ((error = suser(curthread)) != 0)
+	if ((error = priv_check(curthread, PRIV_ROOT)) != 0)
 		return (error);
 	if ((error = SYSCTL_IN(req, &value, sizeof(value))) != 0)
 		return (error);
diff --git a/sys/kern/kern_sysctl.c b/sys/kern/kern_sysctl.c
index 30274a0..0838c6b 100644
--- a/sys/kern/kern_sysctl.c
+++ b/sys/kern/kern_sysctl.c
@@ -48,6 +48,7 @@
 #include <sys/sysctl.h>
 #include <sys/malloc.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/sysproto.h>
 #include <sys/lock.h>
 #include <vm/vm.h>
@@ -535,7 +536,7 @@ sysctl_sysctl_debug(SYSCTL_HANDLER_ARGS)
 {
 	int error;
 
-	error = suser(req->td);
+	error = priv_check(req->td, PRIV_ROOT);
 	if (error)
 		return error;
 	sysctl_sysctl_debug_dump_node(&sysctl__children, 0);
@@ -1179,7 +1180,7 @@ sysctl_root(SYSCTL_HANDLER_ARGS)
 
 	/* Most likely only root can write */
 	if (!(oid->oid_kind & CTLFLAG_ANYBODY) && req->newptr && p &&
-	    (error = suser_cred(p->p_ucred, 
+	    (error = priv_check_cred(p->p_ucred, PRIV_ROOT,
 	     (oid->oid_kind & CTLFLAG_PRISON) ? PRISON_ROOT : 0)))
 		return (error);
 
diff --git a/sys/kern/kern_syslink.c b/sys/kern/kern_syslink.c
index ca2c382..4e1e747 100644
--- a/sys/kern/kern_syslink.c
+++ b/sys/kern/kern_syslink.c
@@ -47,6 +47,7 @@
 #include <sys/alist.h>
 #include <sys/file.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/lock.h>
 #include <sys/uio.h>
 #include <sys/objcache.h>
@@ -262,7 +263,7 @@ sys_syslink(struct syslink_args *uap)
 	 */
 	if (syslink_enabled == 0)
 		return (EAUTH);
-	error = suser(curthread);
+	error = priv_check(curthread, PRIV_ROOT);
 	if (error)
 		return (error);
 
diff --git a/sys/kern/kern_time.c b/sys/kern/kern_time.c
index e7905a8..8383eae 100644
--- a/sys/kern/kern_time.c
+++ b/sys/kern/kern_time.c
@@ -46,6 +46,7 @@
 #include <sys/sysent.h>
 #include <sys/sysunion.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/time.h>
 #include <sys/vnode.h>
 #include <sys/sysctl.h>
@@ -166,7 +167,7 @@ sys_clock_settime(struct clock_settime_args *uap)
 	struct timespec ats;
 	int error;
 
-	if ((error = suser(td)) != 0)
+	if ((error = priv_check(td, PRIV_ROOT)) != 0)
 		return (error);
 	switch(uap->clock_id) {
 	case CLOCK_REALTIME:
@@ -345,7 +346,7 @@ sys_settimeofday(struct settimeofday_args *uap)
 	struct timezone atz;
 	int error;
 
-	if ((error = suser(td)))
+	if ((error = priv_check(td, PRIV_ROOT)))
 		return (error);
 	/* Verify all parameters before changing time. */
 	if (uap->tv) {
@@ -457,7 +458,7 @@ sys_adjtime(struct adjtime_args *uap)
 	int64_t ndelta, odelta;
 	int error;
 
-	if ((error = suser(td)))
+	if ((error = priv_check(td, PRIV_ROOT)))
 		return (error);
 	if ((error =
 	    copyin((caddr_t)uap->delta, (caddr_t)&atv, sizeof(struct timeval))))
@@ -489,7 +490,7 @@ sysctl_adjtime(SYSCTL_HANDLER_ARGS)
 	int error;
 
 	if (req->newptr != NULL) {
-		if (suser(curthread))
+		if (priv_check(curthread, PRIV_ROOT))
 			return (EPERM);
 		error = SYSCTL_IN(req, &delta, sizeof(delta));
 		if (error)
@@ -513,7 +514,7 @@ sysctl_delta(SYSCTL_HANDLER_ARGS)
 	int error;
 
 	if (req->newptr != NULL) {
-		if (suser(curthread))
+		if (priv_check(curthread, PRIV_ROOT))
 			return (EPERM);
 		error = SYSCTL_IN(req, &delta, sizeof(delta));
 		if (error)
@@ -538,7 +539,7 @@ sysctl_adjfreq(SYSCTL_HANDLER_ARGS)
 	int error;
 
 	if (req->newptr != NULL) {
-		if (suser(curthread))
+		if (priv_check(curthread, PRIV_ROOT))
 			return (EPERM);
 		error = SYSCTL_IN(req, &freqdelta, sizeof(freqdelta));
 		if (error)
diff --git a/sys/kern/kern_usched.c b/sys/kern/kern_usched.c
index 24bbb77..3699367 100644
--- a/sys/kern/kern_usched.c
+++ b/sys/kern/kern_usched.c
@@ -37,6 +37,7 @@
 #include <sys/errno.h>
 #include <sys/globaldata.h>		/* curthread */
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/sysproto.h>		/* struct usched_set_args */
 #include <sys/systm.h>			/* strcmp() */
 #include <sys/usched.h>	
@@ -162,7 +163,7 @@ sys_usched_set(struct usched_set_args *uap)
 	struct lwp *lp;
 	int cpuid;
 
-	if ((error = suser(curthread)) != 0)
+	if ((error = priv_check(curthread, PRIV_ROOT)) != 0)
 		return (error);
 
 	if (uap->pid != 0 && uap->pid != curthread->td_proc->p_pid)
diff --git a/sys/kern/kern_varsym.c b/sys/kern/kern_varsym.c
index c50a57c..955ccba 100644
--- a/sys/kern/kern_varsym.c
+++ b/sys/kern/kern_varsym.c
@@ -45,6 +45,7 @@
 #include <sys/ucred.h>
 #include <sys/resourcevar.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/jail.h>
 #include <sys/queue.h>
 #include <sys/sysctl.h>
@@ -149,7 +150,7 @@ sys_varsym_set(struct varsym_set_args *uap)
 	    uap->level = VARSYM_PRISON;
     case VARSYM_PRISON:
 	if (curthread->td_proc != NULL &&
-	    (error = suser_cred(curthread->td_proc->p_ucred, PRISON_ROOT)) != 0)
+	    (error = priv_check_cred(curthread->td_proc->p_ucred, PRIV_ROOT, PRISON_ROOT)) != 0)
 	    break;
 	/* fall through */
     case VARSYM_USER:
diff --git a/sys/kern/kern_xxx.c b/sys/kern/kern_xxx.c
index ebbed06..f057bc8 100644
--- a/sys/kern/kern_xxx.c
+++ b/sys/kern/kern_xxx.c
@@ -40,6 +40,7 @@
 #include <sys/sysproto.h>
 #include <sys/kernel.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/sysctl.h>
 #include <sys/utsname.h>
 
@@ -125,7 +126,7 @@ sys_setdomainname(struct setdomainname_args *uap)
 	struct thread *td = curthread;
         int error, domainnamelen;
 
-        if ((error = suser(td)))
+        if ((error = priv_check(td, PRIV_ROOT)))
                 return (error);
         if ((u_int)uap->len > sizeof (domainname) - 1)
                 return EINVAL;
diff --git a/sys/kern/subr_prf.c b/sys/kern/subr_prf.c
index 35b4b80..d403a39 100644
--- a/sys/kern/subr_prf.c
+++ b/sys/kern/subr_prf.c
@@ -48,6 +48,7 @@
 #include <sys/msgbuf.h>
 #include <sys/malloc.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/tty.h>
 #include <sys/tprintf.h>
 #include <sys/stdint.h>
@@ -911,7 +912,7 @@ sysctl_kern_msgbuf(SYSCTL_HANDLER_ARGS)
 		cred = req->td->td_proc->p_ucred;
 
 		if ((cred->cr_prison || groupmember(0, cred) == 0) &&
-		    suser(req->td) != 0
+		    priv_check(req->td, PRIV_ROOT) != 0
 		) {
 			return (EPERM);
 		}
diff --git a/sys/kern/sys_process.c b/sys/kern/sys_process.c
index 4427ac4..4c0d825 100644
--- a/sys/kern/sys_process.c
+++ b/sys/kern/sys_process.c
@@ -36,6 +36,7 @@
 #include <sys/systm.h>
 #include <sys/sysproto.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/vnode.h>
 #include <sys/ptrace.h>
 #include <sys/reg.h>
@@ -319,7 +320,7 @@ kern_ptrace(struct proc *curp, int req, pid_t pid, void *addr, int data, int *re
 		/* not owned by you, has done setuid (unless you're root) */
 		if ((p->p_ucred->cr_ruid != curp->p_ucred->cr_ruid) ||
 		     (p->p_flag & P_SUGID)) {
-			if ((error = suser_cred(curp->p_ucred, 0)) != 0)
+			if ((error = priv_check_cred(curp->p_ucred, PRIV_ROOT, 0)) != 0)
 				return error;
 		}
 
diff --git a/sys/kern/sysv_ipc.c b/sys/kern/sysv_ipc.c
index 9d14be7..7648f93 100644
--- a/sys/kern/sysv_ipc.c
+++ b/sys/kern/sysv_ipc.c
@@ -37,6 +37,7 @@
 #include <sys/param.h>
 #include <sys/ipc.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/ucred.h>
 
 #if defined(SYSVSEM) || defined(SYSVSHM) || defined(SYSVMSG)
@@ -53,7 +54,7 @@ ipcperm(struct proc *p, struct ipc_perm *perm, int mode)
 	/* Check for user match. */
 	if (cred->cr_uid != perm->cuid && cred->cr_uid != perm->uid) {
 		if (mode & IPC_M)
-			return (suser_cred(cred, 0) == 0 ? 0 : EPERM);
+			return (priv_check_cred(cred, PRIV_ROOT, 0) == 0 ? 0 : EPERM);
 		/* Check for group match. */
 		mode >>= 3;
 		if (!groupmember(perm->gid, cred) &&
@@ -65,7 +66,7 @@ ipcperm(struct proc *p, struct ipc_perm *perm, int mode)
 	if (mode & IPC_M)
 		return (0);
 	return ((mode & perm->mode) == mode || 
-		suser_cred(cred, 0) == 0 ? 0 : EACCES);
+		priv_check_cred(cred, PRIV_ROOT, 0) == 0 ? 0 : EACCES);
 }
 
 #endif /* defined(SYSVSEM) || defined(SYSVSHM) || defined(SYSVMSG) */
diff --git a/sys/kern/sysv_msg.c b/sys/kern/sysv_msg.c
index 574cc72..51ac36c 100644
--- a/sys/kern/sysv_msg.c
+++ b/sys/kern/sysv_msg.c
@@ -27,6 +27,7 @@
 #include <sys/sysproto.h>
 #include <sys/kernel.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/msg.h>
 #include <sys/sysent.h>
 #include <sys/sysctl.h>
@@ -316,7 +317,7 @@ sys_msgctl(struct msgctl_args *uap)
 		if ((eval = copyin(user_msqptr, &msqbuf, sizeof(msqbuf))) != 0)
 			return(eval);
 		if (msqbuf.msg_qbytes > msqptr->msg_qbytes) {
-			eval = suser(td);
+			eval = priv_check(td, PRIV_ROOT);
 			if (eval)
 				return(eval);
 		}
diff --git a/sys/kern/tty.c b/sys/kern/tty.c
index 14b0a3a..c252227 100644
--- a/sys/kern/tty.c
+++ b/sys/kern/tty.c
@@ -78,6 +78,7 @@
 #include <sys/ioctl_compat.h>
 #endif
 #include <sys/proc.h>
+#include <sys/priv.h>
 #define	TTYDEFCHARS
 #include <sys/tty.h>
 #include <sys/clist.h>
@@ -902,7 +903,7 @@ ttioctl(struct tty *tp, u_long cmd, void *data, int flag)
 			    ISSET(constty->t_state, TS_CONNECTED))
 				return (EBUSY);
 #ifndef	UCONSOLE
-			if ((error = suser(td)) != 0)
+			if ((error = priv_check(td, PRIV_ROOT)) != 0)
 				return (error);
 #endif
 			constty = tp;
@@ -1074,9 +1075,9 @@ ttioctl(struct tty *tp, u_long cmd, void *data, int flag)
 		crit_exit();
 		break;
 	case TIOCSTI:			/* simulate terminal input */
-		if ((flag & FREAD) == 0 && suser(td))
+		if ((flag & FREAD) == 0 && priv_check(td, PRIV_ROOT))
 			return (EPERM);
-		if (!isctty(p, tp) && suser(td))
+		if (!isctty(p, tp) && priv_check(td, PRIV_ROOT))
 			return (EACCES);
 		crit_enter();
 		(*linesw[tp->t_line].l_rint)(*(u_char *)data, tp);
@@ -1124,7 +1125,7 @@ ttioctl(struct tty *tp, u_long cmd, void *data, int flag)
 		}
 		break;
 	case TIOCSDRAINWAIT:
-		error = suser(td);
+		error = priv_check(td, PRIV_ROOT);
 		if (error)
 			return (error);
 		tp->t_timeout = *(int *)data * hz;
diff --git a/sys/kern/tty_cons.c b/sys/kern/tty_cons.c
index e4bff4e..5115ca2 100644
--- a/sys/kern/tty_cons.c
+++ b/sys/kern/tty_cons.c
@@ -48,6 +48,7 @@
 #include <sys/cons.h>
 #include <sys/kernel.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/reboot.h>
 #include <sys/sysctl.h>
 #include <sys/tty.h>
@@ -438,7 +439,7 @@ cnioctl(struct dev_ioctl_args *ap)
 	 */
 	if (ap->a_cmd == TIOCCONS && constty) {
 		if (ap->a_cred) {
-			error = suser_cred(ap->a_cred, 0);
+			error = priv_check_cred(ap->a_cred, PRIV_ROOT, 0);
 			if (error)
 				return (error);
 		}
diff --git a/sys/kern/tty_pty.c b/sys/kern/tty_pty.c
index 53e4ddf..dafe757 100644
--- a/sys/kern/tty_pty.c
+++ b/sys/kern/tty_pty.c
@@ -48,6 +48,7 @@
 #include <sys/ioctl_compat.h>
 #endif
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/tty.h>
 #include <sys/conf.h>
 #include <sys/fcntl.h>
@@ -191,7 +192,7 @@ ptsopen(struct dev_open_args *ap)
 		tp->t_lflag = TTYDEF_LFLAG;
 		tp->t_cflag = TTYDEF_CFLAG;
 		tp->t_ispeed = tp->t_ospeed = TTYDEF_SPEED;
-	} else if ((tp->t_state & TS_XCLUDE) && suser_cred(ap->a_cred, 0)) {
+	} else if ((tp->t_state & TS_XCLUDE) && priv_check_cred(ap->a_cred, PRIV_ROOT, 0)) {
 		return (EBUSY);
 	} else if (pti->pt_prison != ap->a_cred->cr_prison) {
 		return (EBUSY);
diff --git a/sys/kern/vfs_helper.c b/sys/kern/vfs_helper.c
index 9b82fb7..531fd3e 100644
--- a/sys/kern/vfs_helper.c
+++ b/sys/kern/vfs_helper.c
@@ -54,6 +54,7 @@
 #include <sys/vnode.h>
 #include <sys/file.h>		/* XXX */
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/jail.h>
 
 /*
@@ -150,7 +151,7 @@ vop_helper_setattr_flags(u_int32_t *ino_flags, u_int32_t vaflags,
 	 * If uid doesn't match only the super-user can change the flags
 	 */
 	if (cred->cr_uid != uid &&
-	    (error = suser_cred(cred, PRISON_ROOT))) {
+	    (error = priv_check_cred(cred, PRIV_ROOT, PRISON_ROOT))) {
 		return(error);
 	}
 	if (cred->cr_uid == 0 &&
@@ -197,7 +198,7 @@ vop_helper_chmod(struct vnode *vp, mode_t new_mode, struct ucred *cred,
 	int error;
 
 	if (cred->cr_uid != cur_uid) {
-		error = suser_cred(cred, PRISON_ROOT);
+		error = priv_check_cred(cred, PRIV_ROOT, PRISON_ROOT);
 		if (error)
 			return (error);
 	}
@@ -237,7 +238,7 @@ vop_helper_chown(struct vnode *vp, uid_t new_uid, gid_t new_gid,
 	if ((cred->cr_uid != *cur_uidp || new_uid != *cur_uidp ||
 	    (new_gid != *cur_gidp && !(cred->cr_gid == new_gid ||
 	    groupmember(new_gid, cred)))) &&
-	    (error = suser_cred(cred, PRISON_ROOT))) {
+	    (error = priv_check_cred(cred, PRIV_ROOT, PRISON_ROOT))) {
 		return (error);
 	}
 	ogid = *cur_gidp;
diff --git a/sys/kern/vfs_syscalls.c b/sys/kern/vfs_syscalls.c
index 04b5a21..948c724 100644
--- a/sys/kern/vfs_syscalls.c
+++ b/sys/kern/vfs_syscalls.c
@@ -58,6 +58,7 @@
 #include <sys/unistd.h>
 #include <sys/vnode.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/namei.h>
 #include <sys/nlookup.h>
 #include <sys/dirent.h>
@@ -127,20 +128,20 @@ sys_mount(struct mount_args *uap)
 	KKASSERT(p);
 	if (cred->cr_prison != NULL)
 		return (EPERM);
-	if (usermount == 0 && (error = suser(td)))
+	if (usermount == 0 && (error = priv_check(td, PRIV_ROOT)))
 		return (error);
 	/*
 	 * Do not allow NFS export by non-root users.
 	 */
 	if (uap->flags & MNT_EXPORTED) {
-		error = suser(td);
+		error = priv_check(td, PRIV_ROOT);
 		if (error)
 			return (error);
 	}
 	/*
 	 * Silently enforce MNT_NOSUID and MNT_NODEV for non-root users
 	 */
-	if (suser(td)) 
+	if (priv_check(td, PRIV_ROOT)) 
 		uap->flags |= MNT_NOSUID | MNT_NODEV;
 
 	/*
@@ -208,7 +209,7 @@ sys_mount(struct mount_args *uap)
 		 * permitted to update it.
 		 */
 		if (mp->mnt_stat.f_owner != cred->cr_uid &&
-		    (error = suser(td))) {
+		    (error = priv_check(td, PRIV_ROOT))) {
 			cache_drop(&nch);
 			vput(vp);
 			return (error);
@@ -235,7 +236,7 @@ sys_mount(struct mount_args *uap)
 	 * onto which we are attempting to mount.
 	 */
 	if ((error = VOP_GETATTR(vp, &va)) ||
-	    (va.va_uid != cred->cr_uid && (error = suser(td)))) {
+	    (va.va_uid != cred->cr_uid && (error = priv_check(td, PRIV_ROOT)))) {
 		cache_drop(&nch);
 		vput(vp);
 		return (error);
@@ -268,7 +269,7 @@ sys_mount(struct mount_args *uap)
 		linker_file_t lf;
 
 		/* Only load modules for root (very important!) */
-		if ((error = suser(td)) != 0) {
+		if ((error = priv_check(td, PRIV_ROOT)) != 0) {
 			cache_drop(&nch);
 			vput(vp);
 			return error;
@@ -548,7 +549,7 @@ sys_unmount(struct unmount_args *uap)
 	KKASSERT(p);
 	if (p->p_ucred->cr_prison != NULL)
 		return (EPERM);
-	if (usermount == 0 && (error = suser(td)))
+	if (usermount == 0 && (error = priv_check(td, PRIV_ROOT)))
 		return (error);
 
 	error = nlookup_init(&nd, uap->path, UIO_USERSPACE, NLC_FOLLOW);
@@ -564,7 +565,7 @@ sys_unmount(struct unmount_args *uap)
 	 * permitted to unmount this filesystem.
 	 */
 	if ((mp->mnt_stat.f_owner != p->p_ucred->cr_uid) &&
-	    (error = suser(td)))
+	    (error = priv_check(td, PRIV_ROOT)))
 		goto out;
 
 	/*
@@ -911,7 +912,7 @@ sys_mountctl(struct mountctl_args *uap)
 	KKASSERT(p);
 	if (p->p_ucred->cr_prison != NULL)
 		return (EPERM);
-	if ((error = suser(td)) != 0)
+	if ((error = priv_check(td, PRIV_ROOT)) != 0)
 		return (error);
 
 	/*
@@ -1041,7 +1042,7 @@ kern_statfs(struct nlookupdata *nd, struct statfs *buf)
 	sp->f_flags = mp->mnt_flag & MNT_VISFLAGMASK;
 	bcopy(sp, buf, sizeof(*buf));
 	/* Only root should have access to the fsid's. */
-	if (suser(td))
+	if (priv_check(td, PRIV_ROOT))
 		buf->f_fsid.val[0] = buf->f_fsid.val[1] = 0;
 	return (0);
 }
@@ -1104,7 +1105,7 @@ kern_fstatfs(int fd, struct statfs *buf)
 	bcopy(sp, buf, sizeof(*buf));
 
 	/* Only root should have access to the fsid's. */
-	if (suser(td))
+	if (priv_check(td, PRIV_ROOT))
 		buf->f_fsid.val[0] = buf->f_fsid.val[1] = 0;
 	error = 0;
 done:
@@ -1602,7 +1603,7 @@ kern_chroot(struct nchandle *nch)
 	/*
 	 * Only root can chroot
 	 */
-	if ((error = suser_cred(p->p_ucred, PRISON_ROOT)) != 0)
+	if ((error = priv_check_cred(p->p_ucred, PRIV_ROOT, PRISON_ROOT)) != 0)
 		return (error);
 
 	/*
@@ -1853,10 +1854,10 @@ kern_mknod(struct nlookupdata *nd, int mode, int rmajor, int rminor)
 	switch (mode & S_IFMT) {
 	case S_IFCHR:
 	case S_IFBLK:
-		error = suser(td);
+		error = priv_check(td, PRIV_ROOT);
 		break;
 	default:
-		error = suser_cred(p->p_ucred, PRISON_ROOT);
+		error = priv_check_cred(p->p_ucred, PRIV_ROOT, PRISON_ROOT);
 		break;
 	}
 	if (error)
@@ -2006,7 +2007,7 @@ can_hardlink(struct vnode *vp, struct thread *td, struct ucred *cred)
 	/*
 	 * root cred can always hardlink
 	 */
-	if (suser_cred(cred, PRISON_ROOT) == 0)
+	if (priv_check_cred(cred, PRIV_ROOT, PRISON_ROOT) == 0)
 		return (0);
 
 	/*
@@ -2537,7 +2538,7 @@ setfflags(struct vnode *vp, int flags)
 	 * chown can't fail when done as root.
 	 */
 	if ((vp->v_type == VCHR || vp->v_type == VBLK) && 
-	    ((error = suser_cred(p->p_ucred, PRISON_ROOT)) != 0))
+	    ((error = priv_check_cred(p->p_ucred, PRIV_ROOT, PRISON_ROOT)) != 0))
 		return (error);
 
 	/*
@@ -3566,7 +3567,7 @@ sys_revoke(struct revoke_args *uap)
 		if (error == 0)
 			error = VOP_GETATTR(vp, &vattr);
 		if (error == 0 && cred->cr_uid != vattr.va_uid)
-			error = suser_cred(cred, PRISON_ROOT);
+			error = priv_check_cred(cred, PRIV_ROOT, PRISON_ROOT);
 		if (error == 0 && count_udev(vp->v_umajor, vp->v_uminor) > 0) {
 			error = 0;
 			vx_lock(vp);
@@ -3607,7 +3608,7 @@ sys_getfh(struct getfh_args *uap)
 	/*
 	 * Must be super user
 	 */
-	if ((error = suser(td)) != 0)
+	if ((error = priv_check(td, PRIV_ROOT)) != 0)
 		return (error);
 
 	vp = NULL;
@@ -3635,7 +3636,7 @@ sys_getfh(struct getfh_args *uap)
  * syscall for the rpc.lockd to use to translate a NFS file handle into
  * an open descriptor.
  *
- * warning: do not remove the suser() call or this becomes one giant
+ * warning: do not remove the priv_check() call or this becomes one giant
  * security hole.
  */
 int
@@ -3657,7 +3658,7 @@ sys_fhopen(struct fhopen_args *uap)
 	/*
 	 * Must be super user
 	 */
-	error = suser(td);
+	error = priv_check(td, PRIV_ROOT);
 	if (error)
 		return (error);
 
@@ -3818,7 +3819,7 @@ sys_fhstat(struct fhstat_args *uap)
 	/*
 	 * Must be super user
 	 */
-	error = suser(td);
+	error = priv_check(td, PRIV_ROOT);
 	if (error)
 		return (error);
 	
@@ -3857,7 +3858,7 @@ sys_fhstatfs(struct fhstatfs_args *uap)
 	/*
 	 * Must be super user
 	 */
-	if ((error = suser(td)))
+	if ((error = priv_check(td, PRIV_ROOT)))
 		return (error);
 
 	if ((error = copyin(uap->u_fhp, &fh, sizeof(fhandle_t))) != 0)
@@ -3885,7 +3886,7 @@ sys_fhstatfs(struct fhstatfs_args *uap)
 	kfree(freepath, M_TEMP);
 
 	sp->f_flags = mp->mnt_flag & MNT_VISFLAGMASK;
-	if (suser(td)) {
+	if (priv_check(td, PRIV_ROOT)) {
 		bcopy(sp, &sb, sizeof(sb));
 		sb.f_fsid.val[0] = sb.f_fsid.val[1] = 0;
 		sp = &sb;
@@ -3910,7 +3911,7 @@ sys_fhstatvfs(struct fhstatvfs_args *uap)
 	/*
 	 * Must be super user
 	 */
-	if ((error = suser(td)))
+	if ((error = priv_check(td, PRIV_ROOT)))
 		return (error);
 
 	if ((error = copyin(uap->u_fhp, &fh, sizeof(fhandle_t))) != 0)
diff --git a/sys/kern/vfs_vnops.c b/sys/kern/vfs_vnops.c
index 3e9a8d1..db2c1ec 100644
--- a/sys/kern/vfs_vnops.c
+++ b/sys/kern/vfs_vnops.c
@@ -46,6 +46,7 @@
 #include <sys/file.h>
 #include <sys/stat.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/mount.h>
 #include <sys/nlookup.h>
 #include <sys/vnode.h>
@@ -944,7 +945,7 @@ vn_stat(struct vnode *vp, struct stat *sb, struct ucred *cred)
 	}
 	
 	sb->st_flags = vap->va_flags;
-	if (suser_cred(cred, 0))
+	if (priv_check_cred(cred, PRIV_ROOT, 0))
 		sb->st_gen = 0;
 	else
 		sb->st_gen = (u_int32_t)vap->va_gen;
diff --git a/sys/net/bridge/if_bridge.c b/sys/net/bridge/if_bridge.c
index 46dc088..d945bd2 100644
--- a/sys/net/bridge/if_bridge.c
+++ b/sys/net/bridge/if_bridge.c
@@ -233,6 +233,7 @@
 #include <sys/sysctl.h>
 #include <sys/module.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/lock.h>
 #include <sys/thread.h>
 #include <sys/thread2.h>
@@ -806,7 +807,7 @@ bridge_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data, struct ucred *cr)
 		}
 
 		if (bc->bc_flags & BC_F_SUSER) {
-			error = suser_cred(cr, NULL_CRED_OKAY);
+			error = priv_check_cred(cr, PRIV_ROOT, NULL_CRED_OKAY);
 			if (error)
 				break;
 		}
diff --git a/sys/net/gre/if_gre.c b/sys/net/gre/if_gre.c
index a0c44ff..cce46c4 100644
--- a/sys/net/gre/if_gre.c
+++ b/sys/net/gre/if_gre.c
@@ -57,6 +57,7 @@
 #include <sys/malloc.h>
 #include <sys/mbuf.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/protosw.h>
 #include <sys/socket.h>
 #include <sys/sockio.h>
@@ -423,7 +424,7 @@ gre_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data, struct ucred *cr)
 	case SIOCSIFDSTADDR: 
 		break;
 	case SIOCSIFFLAGS:
-		if ((error = suser_cred(cr, NULL_CRED_OKAY)) != 0)
+		if ((error = priv_check_cred(cr, PRIV_ROOT, NULL_CRED_OKAY)) != 0)
 			break;
 		if ((ifr->ifr_flags & IFF_LINK0) != 0)
 			sc->g_proto = IPPROTO_GRE;
@@ -431,7 +432,7 @@ gre_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data, struct ucred *cr)
 			sc->g_proto = IPPROTO_MOBILE;
 		goto recompute;
 	case SIOCSIFMTU:
-		if ((error = suser_cred(cr, NULL_CRED_OKAY)) != 0)
+		if ((error = priv_check_cred(cr, PRIV_ROOT, NULL_CRED_OKAY)) != 0)
 			break;
 		if (ifr->ifr_mtu < 576) {
 			error = EINVAL;
@@ -444,7 +445,7 @@ gre_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data, struct ucred *cr)
 		break;
 	case SIOCADDMULTI:
 	case SIOCDELMULTI:
-		if ((error = suser_cred(cr, NULL_CRED_OKAY)) != 0)
+		if ((error = priv_check_cred(cr, PRIV_ROOT, NULL_CRED_OKAY)) != 0)
 			break;
 		if (ifr == 0) {
 			error = EAFNOSUPPORT;
@@ -461,7 +462,7 @@ gre_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data, struct ucred *cr)
 		}
 		break;
 	case GRESPROTO:
-		if ((error = suser_cred(cr, NULL_CRED_OKAY)) != 0)
+		if ((error = priv_check_cred(cr, PRIV_ROOT, NULL_CRED_OKAY)) != 0)
 			break;
 		sc->g_proto = ifr->ifr_flags;
 		switch (sc->g_proto) {
@@ -481,7 +482,7 @@ gre_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data, struct ucred *cr)
 		break;
 	case GRESADDRS:
 	case GRESADDRD:
-		if ((error = suser_cred(cr, NULL_CRED_OKAY)) != 0)
+		if ((error = priv_check_cred(cr, PRIV_ROOT, NULL_CRED_OKAY)) != 0)
 			break;
 		/*
 		 * set tunnel endpoints, compute a less specific route
@@ -547,7 +548,7 @@ gre_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data, struct ucred *cr)
 		ifr->ifr_addr = *sa;
 		break;
 	case SIOCSIFPHYADDR:
-		if ((error = suser_cred(cr, NULL_CRED_OKAY)) != 0)
+		if ((error = priv_check_cred(cr, PRIV_ROOT, NULL_CRED_OKAY)) != 0)
 			break;
 		if (aifr->ifra_addr.sin_family != AF_INET ||
 		    aifr->ifra_dstaddr.sin_family != AF_INET) {
@@ -563,7 +564,7 @@ gre_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data, struct ucred *cr)
 		sc->g_dst = aifr->ifra_dstaddr.sin_addr;
 		goto recompute;
 	case SIOCSLIFPHYADDR:
-		if ((error = suser_cred(cr, NULL_CRED_OKAY)) != 0)
+		if ((error = priv_check_cred(cr, PRIV_ROOT, NULL_CRED_OKAY)) != 0)
 			break;
 		if (lifr->addr.ss_family != AF_INET ||
 		    lifr->dstaddr.ss_family != AF_INET) {
@@ -580,7 +581,7 @@ gre_ioctl(struct ifnet *ifp, u_long cmd, caddr_t data, struct ucred *cr)
 		    (satosin((struct sockadrr *)&lifr->dstaddr))->sin_addr;
 		goto recompute;
 	case SIOCDIFPHYADDR:
-		if ((error = suser_cred(cr, NULL_CRED_OKAY)) != 0)
+		if ((error = priv_check_cred(cr, PRIV_ROOT, NULL_CRED_OKAY)) != 0)
 			break;
 		sc->g_src.s_addr = INADDR_ANY;
 		sc->g_dst.s_addr = INADDR_ANY;
diff --git a/sys/net/i4b/driver/i4b_ipr.c b/sys/net/i4b/driver/i4b_ipr.c
index be2f31e..2333f6f 100644
--- a/sys/net/i4b/driver/i4b_ipr.c
+++ b/sys/net/i4b/driver/i4b_ipr.c
@@ -499,7 +499,7 @@ i4biprioctl(struct ifnet *ifp, IOCTL_CMD_T cmd, caddr_t data, struct ucred *cr)
 			{
 			struct thread *td = curthread;	/* XXX */
 
-			if ((error = suser(td)) != 0)
+			if ((error = priv_check(td, PRIV_ROOT)) != 0)
 				return (error);
 		        sl_compress_setup(sc->sc_compr, *(int *)data);
 			}
diff --git a/sys/net/if.c b/sys/net/if.c
index 8ceedb4..09f752d 100644
--- a/sys/net/if.c
+++ b/sys/net/if.c
@@ -45,6 +45,7 @@
 #include <sys/mbuf.h>
 #include <sys/systm.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/protosw.h>
 #include <sys/socket.h>
 #include <sys/socketvar.h>
@@ -1195,7 +1196,7 @@ ifioctl(struct socket *so, u_long cmd, caddr_t data, struct ucred *cred)
 	switch (cmd) {
 	case SIOCIFCREATE:
 	case SIOCIFDESTROY:
-		if ((error = suser_cred(cred, 0)) != 0)
+		if ((error = priv_check_cred(cred, PRIV_ROOT, 0)) != 0)
 			return (error);
 		return ((cmd == SIOCIFCREATE) ?
 			if_clone_create(ifr->ifr_name, sizeof(ifr->ifr_name)) :
@@ -1248,7 +1249,7 @@ ifioctl(struct socket *so, u_long cmd, caddr_t data, struct ucred *cred)
 		break;
 
 	case SIOCSIFFLAGS:
-		error = suser_cred(cred, 0);
+		error = priv_check_cred(cred, PRIV_ROOT, 0);
 		if (error)
 			return (error);
 		new_flags = (ifr->ifr_flags & 0xffff) |
@@ -1294,7 +1295,7 @@ ifioctl(struct socket *so, u_long cmd, caddr_t data, struct ucred *cred)
 		break;
 
 	case SIOCSIFCAP:
-		error = suser_cred(cred, 0);
+		error = priv_check_cred(cred, PRIV_ROOT, 0);
 		if (error)
 			return (error);
 		if (ifr->ifr_reqcap & ~ifp->if_capabilities)
@@ -1305,7 +1306,7 @@ ifioctl(struct socket *so, u_long cmd, caddr_t data, struct ucred *cred)
 		break;
 
 	case SIOCSIFNAME:
-		error = suser_cred(cred, 0);
+		error = priv_check_cred(cred, PRIV_ROOT, 0);
 		if (error != 0)
 			return (error);
 		error = copyinstr(ifr->ifr_data, new_name, IFNAMSIZ, NULL);
@@ -1351,7 +1352,7 @@ ifioctl(struct socket *so, u_long cmd, caddr_t data, struct ucred *cred)
 		break;
 
 	case SIOCSIFMETRIC:
-		error = suser_cred(cred, 0);
+		error = priv_check_cred(cred, PRIV_ROOT, 0);
 		if (error)
 			return (error);
 		ifp->if_metric = ifr->ifr_metric;
@@ -1359,7 +1360,7 @@ ifioctl(struct socket *so, u_long cmd, caddr_t data, struct ucred *cred)
 		break;
 
 	case SIOCSIFPHYS:
-		error = suser_cred(cred, 0);
+		error = priv_check_cred(cred, PRIV_ROOT, 0);
 		if (error)
 			return error;
 		if (!ifp->if_ioctl)
@@ -1375,7 +1376,7 @@ ifioctl(struct socket *so, u_long cmd, caddr_t data, struct ucred *cred)
 	{
 		u_long oldmtu = ifp->if_mtu;
 
-		error = suser_cred(cred, 0);
+		error = priv_check_cred(cred, PRIV_ROOT, 0);
 		if (error)
 			return (error);
 		if (ifp->if_ioctl == NULL)
@@ -1402,7 +1403,7 @@ ifioctl(struct socket *so, u_long cmd, caddr_t data, struct ucred *cred)
 
 	case SIOCADDMULTI:
 	case SIOCDELMULTI:
-		error = suser_cred(cred, 0);
+		error = priv_check_cred(cred, PRIV_ROOT, 0);
 		if (error)
 			return (error);
 
@@ -1432,7 +1433,7 @@ ifioctl(struct socket *so, u_long cmd, caddr_t data, struct ucred *cred)
 	case SIOCSLIFPHYADDR:
         case SIOCSIFMEDIA:
 	case SIOCSIFGENERIC:
-		error = suser_cred(cred, 0);
+		error = priv_check_cred(cred, PRIV_ROOT, 0);
 		if (error)
 			return (error);
 		if (ifp->if_ioctl == 0)
@@ -1461,7 +1462,7 @@ ifioctl(struct socket *so, u_long cmd, caddr_t data, struct ucred *cred)
 		return (error);
 
 	case SIOCSIFLLADDR:
-		error = suser_cred(cred, 0);
+		error = priv_check_cred(cred, PRIV_ROOT, 0);
 		if (error)
 			return (error);
 		return if_setlladdr(ifp,
diff --git a/sys/net/pf/if_pfsync.c b/sys/net/pf/if_pfsync.c
index c3c5c5b..fd78d23 100644
--- a/sys/net/pf/if_pfsync.c
+++ b/sys/net/pf/if_pfsync.c
@@ -35,6 +35,7 @@
 
 #include <sys/param.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/systm.h>
 #include <sys/time.h>
 #include <sys/mbuf.h>
@@ -676,7 +677,7 @@ pfsyncioctl(struct ifnet *ifp, u_long cmd, caddr_t data, struct ucred *cr)
 			return (error);
 		break;
 	case SIOCSETPFSYNC:
-		if ((error = suser_cred(cr, NULL_CRED_OKAY)) != 0)
+		if ((error = priv_check_cred(cr, PRIV_ROOT, NULL_CRED_OKAY)) != 0)
 			return (error);
 		if ((error = copyin(ifr->ifr_data, &pfsyncr, sizeof(pfsyncr))))
 			return (error);
diff --git a/sys/net/ppp/if_ppp.c b/sys/net/ppp/if_ppp.c
index 3f1bc15..c35fbb9 100644
--- a/sys/net/ppp/if_ppp.c
+++ b/sys/net/ppp/if_ppp.c
@@ -88,6 +88,7 @@
 #include <sys/param.h>
 #include <sys/systm.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/mbuf.h>
 #include <sys/socket.h>
 #include <sys/filio.h>
@@ -402,7 +403,7 @@ pppioctl(struct ppp_softc *sc, u_long cmd, caddr_t data,
 	break;
 
     case PPPIOCSFLAGS:
-	if ((error = suser_cred(cred, 0)) != 0)
+	if ((error = priv_check_cred(cred, PRIV_ROOT, 0)) != 0)
 	    return (error);
 	flags = *(int *)data & SC_MASK;
 	crit_enter();
@@ -415,7 +416,7 @@ pppioctl(struct ppp_softc *sc, u_long cmd, caddr_t data,
 	break;
 
     case PPPIOCSMRU:
-	if ((error = suser_cred(cred, 0)) != 0)
+	if ((error = priv_check_cred(cred, PRIV_ROOT, 0)) != 0)
 	    return (error);
 	mru = *(int *)data;
 	if (mru >= PPP_MRU && mru <= PPP_MAXMRU)
@@ -428,7 +429,7 @@ pppioctl(struct ppp_softc *sc, u_long cmd, caddr_t data,
 
 #ifdef VJC
     case PPPIOCSMAXCID:
-	if ((error = suser_cred(cred, 0)) != 0)
+	if ((error = priv_check_cred(cred, PRIV_ROOT, 0)) != 0)
 	    return (error);
 	if (sc->sc_comp) {
 	    crit_enter();
@@ -439,14 +440,14 @@ pppioctl(struct ppp_softc *sc, u_long cmd, caddr_t data,
 #endif
 
     case PPPIOCXFERUNIT:
-	if ((error = suser_cred(cred, 0)) != 0)
+	if ((error = priv_check_cred(cred, PRIV_ROOT, 0)) != 0)
 	    return (error);
 	sc->sc_xfer = curthread;
 	break;
 
 #ifdef PPP_COMPRESS
     case PPPIOCSCOMPRESS:
-	if ((error = suser_cred(cred, 0)) != 0)
+	if ((error = priv_check_cred(cred, PRIV_ROOT, 0)) != 0)
 	    return (error);
 	odp = (struct ppp_option_data *) data;
 	nb = odp->length;
@@ -514,7 +515,7 @@ pppioctl(struct ppp_softc *sc, u_long cmd, caddr_t data,
 	if (cmd == PPPIOCGNPMODE) {
 	    npi->mode = sc->sc_npmode[npx];
 	} else {
-	    if ((error = suser_cred(cred, 0)) != 0)
+	    if ((error = priv_check_cred(cred, PRIV_ROOT, 0)) != 0)
 		return (error);
 	    if (npi->mode != sc->sc_npmode[npx]) {
 		crit_enter();
@@ -630,7 +631,7 @@ pppsioctl(struct ifnet *ifp, u_long cmd, caddr_t data, struct ucred *cr)
 	break;
 
     case SIOCSIFMTU:
-	if ((error = suser_cred(cr, 0)) != 0)
+	if ((error = priv_check_cred(cr, PRIV_ROOT, 0)) != 0)
 	    break;
 	if (ifr->ifr_mtu > PPP_MAXMTU)
 	    error = EINVAL;
diff --git a/sys/net/ppp_layer/ppp_tty.c b/sys/net/ppp_layer/ppp_tty.c
index b101e8e..59688a7 100644
--- a/sys/net/ppp_layer/ppp_tty.c
+++ b/sys/net/ppp_layer/ppp_tty.c
@@ -80,6 +80,7 @@
 #include <sys/param.h>
 #include <sys/systm.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/mbuf.h>
 #include <sys/dkstat.h>
 #include <sys/socket.h>
@@ -177,7 +178,7 @@ pppopen(cdev_t dev, struct tty *tp)
     struct ppp_softc *sc;
     int error;
 
-    if ((error = suser(td)) != 0)
+    if ((error = priv_check(td, PRIV_ROOT)) != 0)
 	return (error);
 
     crit_enter();
@@ -434,7 +435,7 @@ ppptioctl(struct tty *tp, u_long cmd, caddr_t data, int flag, struct ucred *cr)
     error = 0;
     switch (cmd) {
     case PPPIOCSASYNCMAP:
-	if ((error = suser_cred(cr, 0)) != 0)
+	if ((error = priv_check_cred(cr, PRIV_ROOT, 0)) != 0)
 	    break;
 	sc->sc_asyncmap[0] = *(u_int *)data;
 	break;
@@ -444,7 +445,7 @@ ppptioctl(struct tty *tp, u_long cmd, caddr_t data, int flag, struct ucred *cr)
 	break;
 
     case PPPIOCSRASYNCMAP:
-	if ((error = suser_cred(cr, 0)) != 0)
+	if ((error = priv_check_cred(cr, PRIV_ROOT, 0)) != 0)
 	    break;
 	sc->sc_rasyncmap = *(u_int *)data;
 	break;
@@ -454,7 +455,7 @@ ppptioctl(struct tty *tp, u_long cmd, caddr_t data, int flag, struct ucred *cr)
 	break;
 
     case PPPIOCSXASYNCMAP:
-	if ((error = suser_cred(cr, 0)) != 0)
+	if ((error = priv_check_cred(cr, PRIV_ROOT, 0)) != 0)
 	    break;
 	crit_enter();
 	bcopy(data, sc->sc_asyncmap, sizeof(sc->sc_asyncmap));
diff --git a/sys/net/raw_usrreq.c b/sys/net/raw_usrreq.c
index 48e2335..fb38a76 100644
--- a/sys/net/raw_usrreq.c
+++ b/sys/net/raw_usrreq.c
@@ -39,6 +39,7 @@
 #include <sys/systm.h>
 #include <sys/mbuf.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/protosw.h>
 #include <sys/socket.h>
 #include <sys/socketvar.h>
@@ -152,7 +153,7 @@ raw_uattach(struct socket *so, int proto, struct pru_attach_info *ai)
 
 	if (rp == NULL)
 		return EINVAL;
-	if ((error = suser_cred(ai->p_ucred, NULL_CRED_OKAY)) != 0)
+	if ((error = priv_check_cred(ai->p_ucred, PRIV_ROOT, NULL_CRED_OKAY)) != 0)
 		return error;
 	return raw_attach(so, proto, ai->sb_rlimit);
 }
diff --git a/sys/net/rtsock.c b/sys/net/rtsock.c
index e00598c..3b95ed0 100644
--- a/sys/net/rtsock.c
+++ b/sys/net/rtsock.c
@@ -74,6 +74,7 @@
 #include <sys/kernel.h>
 #include <sys/sysctl.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/malloc.h>
 #include <sys/mbuf.h>
 #include <sys/protosw.h>
@@ -513,7 +514,7 @@ route_output(struct mbuf *m, struct socket *so, ...)
 	 * Verify that the caller has the appropriate privilege; RTM_GET
 	 * is the only operation the non-superuser is allowed.
 	 */
-	if (rtm->rtm_type != RTM_GET && suser_cred(so->so_cred, 0) != 0)
+	if (rtm->rtm_type != RTM_GET && priv_check_cred(so->so_cred, PRIV_ROOT, 0) != 0)
 		gotoerr(EPERM);
 
 	switch (rtm->rtm_type) {
diff --git a/sys/net/sl/if_sl.c b/sys/net/sl/if_sl.c
index aa65c02..2c9b327 100644
--- a/sys/net/sl/if_sl.c
+++ b/sys/net/sl/if_sl.c
@@ -72,6 +72,7 @@
 #include <sys/param.h>
 #include <sys/systm.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/malloc.h>
 #include <sys/mbuf.h>
 #include <sys/dkstat.h>
@@ -253,7 +254,7 @@ slopen(cdev_t dev, struct tty *tp)
 	int error;
 	struct thread *td = curthread;	/* XXX */
 
-	error = suser(td);
+	error = priv_check(td, PRIV_ROOT);
 	if (error)
 		return (error);
 
diff --git a/sys/net/tap/if_tap.c b/sys/net/tap/if_tap.c
index c085fda..ec725a6 100644
--- a/sys/net/tap/if_tap.c
+++ b/sys/net/tap/if_tap.c
@@ -48,6 +48,7 @@
 #include <sys/mbuf.h>
 #include <sys/poll.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/signalvar.h>
 #include <sys/socket.h>
 #include <sys/sockio.h>
@@ -266,7 +267,7 @@ tapopen(struct dev_open_args *ap)
 	struct ifnet *ifp = NULL;
 	int error;
 
-	if ((error = suser_cred(ap->a_cred, 0)) != 0)
+	if ((error = priv_check_cred(ap->a_cred, PRIV_ROOT, 0)) != 0)
 		return (error);
 
 	get_mplock();
diff --git a/sys/net/tun/if_tun.c b/sys/net/tun/if_tun.c
index 468954d..dc8b2c4 100644
--- a/sys/net/tun/if_tun.c
+++ b/sys/net/tun/if_tun.c
@@ -24,6 +24,7 @@
 
 #include <sys/param.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/systm.h>
 #include <sys/mbuf.h>
 #include <sys/socket.h>
@@ -138,7 +139,7 @@ tunopen(struct dev_open_args *ap)
 	struct tun_softc *tp;
 	int	error;
 
-	if ((error = suser_cred(ap->a_cred, 0)) != 0)
+	if ((error = priv_check_cred(ap->a_cred, PRIV_ROOT, 0)) != 0)
 		return (error);
 
 	tp = dev->si_drv1;
diff --git a/sys/netbt/hci_ioctl.c b/sys/netbt/hci_ioctl.c
index cd1e168..0c75541 100644
--- a/sys/netbt/hci_ioctl.c
+++ b/sys/netbt/hci_ioctl.c
@@ -38,6 +38,7 @@
 #include <sys/kernel.h>
 #include <sys/mbuf.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/systm.h>
 #include <sys/thread2.h>
 #include <sys/bus.h>
@@ -224,7 +225,7 @@ hci_ioctl(unsigned long cmd, void *data, struct proc *p)
 		break;
 
 	case SIOCSBTFLAGS:	/* set unit flags (privileged) */
-		err = suser(td);
+		err = priv_check(td, PRIV_ROOT);
 		if (err)
 			break;
 
@@ -249,7 +250,7 @@ hci_ioctl(unsigned long cmd, void *data, struct proc *p)
 		break;
 
 	case SIOCSBTPOLICY:	/* set unit link policy (privileged) */
-		err = suser(td);
+		err = priv_check(td, PRIV_ROOT);
 		if (err)
 			break;
 
@@ -259,7 +260,7 @@ hci_ioctl(unsigned long cmd, void *data, struct proc *p)
 		break;
 
 	case SIOCSBTPTYPE:	/* set unit packet types (privileged) */
-		err = suser(td);
+		err = priv_check(td, PRIV_ROOT);
 		if (err)
 			break;
 
@@ -273,7 +274,7 @@ hci_ioctl(unsigned long cmd, void *data, struct proc *p)
 		break;
 
 	case SIOCZBTSTATS:	/* get & reset unit statistics */
-		err = suser(td);
+		err = priv_check(td, PRIV_ROOT);
 		if (err)
 			break;
 
@@ -287,7 +288,7 @@ hci_ioctl(unsigned long cmd, void *data, struct proc *p)
 		 * sent to USB bluetooth controllers that are not an
 		 * integer number of frame sizes, the USB bus locks up.
 		 */
-		err = suser(td);
+		err = priv_check(td, PRIV_ROOT);
 		if (err)
 			break;
 
diff --git a/sys/netbt/hci_socket.c b/sys/netbt/hci_socket.c
index 685086b..0489721 100644
--- a/sys/netbt/hci_socket.c
+++ b/sys/netbt/hci_socket.c
@@ -43,6 +43,7 @@
 #include <sys/kernel.h>
 #include <sys/mbuf.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/protosw.h>
 #include <sys/socket.h>
 #include <sys/socketvar.h>
@@ -630,7 +631,7 @@ hci_sattach (struct socket *so, int proto, struct pru_attach_info *ai)
 	so->so_pcb = pcb;
 	pcb->hp_socket = so;
 
-	if (curproc == NULL || suser(curthread) == 0)
+	if (curproc == NULL || priv_check(curthread, PRIV_ROOT) == 0)
 		pcb->hp_flags |= HCI_PRIVILEGED;
 
 	/*
diff --git a/sys/netgraph/socket/ng_socket.c b/sys/netgraph/socket/ng_socket.c
index 6e11ae0..e5a31bb 100644
--- a/sys/netgraph/socket/ng_socket.c
+++ b/sys/netgraph/socket/ng_socket.c
@@ -52,6 +52,7 @@
 #include <sys/param.h>
 #include <sys/systm.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/domain.h>
 #include <sys/errno.h>
 #include <sys/kernel.h>
@@ -162,7 +163,7 @@ ngc_attach(struct socket *so, int proto, struct pru_attach_info *ai)
 {
 	struct ngpcb *const pcbp = sotongpcb(so);
 
-	if (suser_cred(ai->p_ucred, NULL_CRED_OKAY) != 0)
+	if (priv_check_cred(ai->p_ucred, PRIV_ROOT, NULL_CRED_OKAY) != 0)
 		return (EPERM);
 	if (pcbp != NULL)
 		return (EISCONN);
diff --git a/sys/netgraph/tty/ng_tty.c b/sys/netgraph/tty/ng_tty.c
index 6688d1c..c457645 100644
--- a/sys/netgraph/tty/ng_tty.c
+++ b/sys/netgraph/tty/ng_tty.c
@@ -64,6 +64,7 @@
 #include <sys/kernel.h>
 #include <sys/conf.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/mbuf.h>
 #include <sys/malloc.h>
 #include <sys/fcntl.h>
@@ -193,7 +194,7 @@ ngt_open(cdev_t dev, struct tty *tp)
 	int error;
 
 	/* Super-user only */
-	if ((error = suser(td)))
+	if ((error = priv_check(td, PRIV_ROOT)))
 		return (error);
 	crit_enter();
 
diff --git a/sys/netinet/in.c b/sys/netinet/in.c
index ab41137..e730830 100644
--- a/sys/netinet/in.c
+++ b/sys/netinet/in.c
@@ -42,6 +42,7 @@
 #include <sys/sockio.h>
 #include <sys/malloc.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/msgport.h>
 #include <sys/socket.h>
 
@@ -227,7 +228,7 @@ in_control(struct socket *so, u_long cmd, caddr_t data, struct ifnet *ifp,
 	switch (cmd) {
 	case SIOCALIFADDR:
 	case SIOCDLIFADDR:
-		if (td && (error = suser(td)) != 0)
+		if (td && (error = priv_check(td, PRIV_ROOT)) != 0)
 			return error;
 		/* FALLTHROUGH */
 	case SIOCGLIFADDR:
@@ -511,7 +512,7 @@ in_control_internal(u_long cmd, caddr_t data, struct ifnet *ifp,
 	case SIOCSIFADDR:
 	case SIOCSIFNETMASK:
 	case SIOCSIFDSTADDR:
-		if (td && (error = suser(td)) != 0)
+		if (td && (error = priv_check(td, PRIV_ROOT)) != 0)
 			return error;
 
 		if (ifp == NULL)
@@ -566,7 +567,7 @@ in_control_internal(u_long cmd, caddr_t data, struct ifnet *ifp,
 		break;
 
 	case SIOCSIFBRDADDR:
-		if (td && (error = suser(td)) != 0)
+		if (td && (error = priv_check(td, PRIV_ROOT)) != 0)
 			return error;
 		/* FALLTHROUGH */
 
diff --git a/sys/netinet/in_pcb.c b/sys/netinet/in_pcb.c
index 25f0684..9f7bfe1 100644
--- a/sys/netinet/in_pcb.c
+++ b/sys/netinet/in_pcb.c
@@ -80,6 +80,7 @@
 #include <sys/socket.h>
 #include <sys/socketvar.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/jail.h>
 #include <sys/kernel.h>
 #include <sys/sysctl.h>
@@ -290,7 +291,7 @@ in_pcbbind(struct inpcb *inp, struct sockaddr *nam, struct thread *td)
 
 			/* GROSS */
 			if (ntohs(lport) < IPPORT_RESERVED &&
-			    cred && suser_cred(cred, PRISON_ROOT))
+			    cred && priv_check_cred(cred, PRIV_ROOT, PRISON_ROOT))
 				return (EACCES);
 			if (so->so_cred->cr_uid != 0 &&
 			    !IN_MULTICAST(ntohl(sin->sin_addr.s_addr))) {
@@ -348,7 +349,7 @@ in_pcbbind(struct inpcb *inp, struct sockaddr *nam, struct thread *td)
 			lastport = &pcbinfo->lasthi;
 		} else if (inp->inp_flags & INP_LOWPORT) {
 			if (cred &&
-			    (error = suser_cred(cred, PRISON_ROOT))) {
+			    (error = priv_check_cred(cred, PRIV_ROOT, PRISON_ROOT))) {
 				inp->inp_laddr.s_addr = INADDR_ANY;
 				return (error);
 			}
diff --git a/sys/netinet/ip_carp.c b/sys/netinet/ip_carp.c
index a20b558..cf9747c 100644
--- a/sys/netinet/ip_carp.c
+++ b/sys/netinet/ip_carp.c
@@ -41,6 +41,7 @@
 #include <sys/mbuf.h>
 #include <sys/time.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/sockio.h>
 #include <sys/socket.h>
 #include <sys/sysctl.h>
@@ -1729,7 +1730,7 @@ carp_ioctl(struct ifnet *ifp, u_long cmd, caddr_t addr, struct ucred *cr)
 		break;
 
 	case SIOCSVH:
-		error = suser_cred(cr, NULL_CRED_OKAY);
+		error = priv_check_cred(cr, PRIV_ROOT, NULL_CRED_OKAY);
 		if (error)
 			break;
 		if ((error = copyin(ifr->ifr_data, &carpr, sizeof carpr)))
@@ -1803,7 +1804,7 @@ carp_ioctl(struct ifnet *ifp, u_long cmd, caddr_t addr, struct ucred *cr)
 		carpr.carpr_vhid = sc->sc_vhid;
 		carpr.carpr_advbase = sc->sc_advbase;
 		carpr.carpr_advskew = sc->sc_advskew;
-		error = suser_cred(cr, NULL_CRED_OKAY);
+		error = priv_check_cred(cr, PRIV_ROOT, NULL_CRED_OKAY);
 		if (error == 0) {
 			bcopy(sc->sc_key, carpr.carpr_key,
 			    sizeof(carpr.carpr_key));
diff --git a/sys/netinet/ip_divert.c b/sys/netinet/ip_divert.c
index e250856..16a8241 100644
--- a/sys/netinet/ip_divert.c
+++ b/sys/netinet/ip_divert.c
@@ -55,6 +55,7 @@
 #include <sys/sysctl.h>
 #include <sys/systm.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/thread2.h>
 #include <sys/in_cksum.h>
 #include <sys/lock.h>
@@ -466,7 +467,7 @@ div_attach(struct socket *so, int proto, struct pru_attach_info *ai)
 	inp  = so->so_pcb;
 	if (inp)
 		panic("div_attach");
-	if ((error = suser_cred(ai->p_ucred, NULL_CRED_OKAY)) != 0)
+	if ((error = priv_check_cred(ai->p_ucred, PRIV_ROOT, NULL_CRED_OKAY)) != 0)
 		return error;
 
 	error = soreserve(so, div_sendspace, div_recvspace, ai->sb_rlimit);
diff --git a/sys/netinet/ip_output.c b/sys/netinet/ip_output.c
index 80c7f28..bd7a51d 100644
--- a/sys/netinet/ip_output.c
+++ b/sys/netinet/ip_output.c
@@ -50,6 +50,7 @@
 #include <sys/socket.h>
 #include <sys/socketvar.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/sysctl.h>
 #include <sys/thread2.h>
 #include <sys/in_cksum.h>
@@ -1489,7 +1490,7 @@ ip_ctloutput(struct socket *so, struct sockopt *sopt)
 				break;
 			soopt_to_mbuf(sopt, m);
 			priv = (sopt->sopt_td != NULL &&
-				suser(sopt->sopt_td) != 0) ? 0 : 1;
+				priv_check(sopt->sopt_td, PRIV_ROOT) != 0) ? 0 : 1;
 			req = mtod(m, caddr_t);
 			len = m->m_len;
 			optname = sopt->sopt_name;
diff --git a/sys/netinet/raw_ip.c b/sys/netinet/raw_ip.c
index 22c8e44..1cb495f 100644
--- a/sys/netinet/raw_ip.c
+++ b/sys/netinet/raw_ip.c
@@ -45,6 +45,7 @@
 #include <sys/malloc.h>
 #include <sys/mbuf.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/protosw.h>
 #include <sys/socket.h>
 #include <sys/socketvar.h>
@@ -539,7 +540,7 @@ rip_attach(struct socket *so, int proto, struct pru_attach_info *ai)
 	inp = so->so_pcb;
 	if (inp)
 		panic("rip_attach");
-	if ((error = suser_cred(ai->p_ucred, flag)) != 0)
+	if ((error = priv_check_cred(ai->p_ucred, PRIV_ROOT, flag)) != 0)
 		return error;
 
 	error = soreserve(so, rip_sendspace, rip_recvspace, ai->sb_rlimit);
diff --git a/sys/netinet/sctp_pcb.c b/sys/netinet/sctp_pcb.c
index 6ca9161..3d11382 100644
--- a/sys/netinet/sctp_pcb.c
+++ b/sys/netinet/sctp_pcb.c
@@ -58,6 +58,7 @@
 #include <sys/socket.h>
 #include <sys/socketvar.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/kernel.h>
 #include <sys/sysctl.h>
 #include <sys/thread2.h>
@@ -1933,7 +1934,7 @@ sctp_inpcb_bind(struct socket *so, struct sockaddr *addr, struct proc *p)
 #elif defined(__NetBSD__) || defined(__APPLE__)
 			    suser(p->p_ucred, &p->p_acflag)
 #elif defined(__DragonFly__)
-			    suser(p)
+			    priv_check(p, PRIV_ROOT)
 #else
 			    suser(p, 0)
 #endif
diff --git a/sys/netinet/sctp_usrreq.c b/sys/netinet/sctp_usrreq.c
index 63b7516..d3d40e4 100644
--- a/sys/netinet/sctp_usrreq.c
+++ b/sys/netinet/sctp_usrreq.c
@@ -56,6 +56,7 @@
 #include <sys/mbuf.h>
 #include <sys/domain.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/protosw.h>
 #include <sys/socket.h>
 #include <sys/socketvar.h>
@@ -551,7 +552,7 @@ sctp_getcred(SYSCTL_HANDLER_ARGS)
 	int error;
 
 #if __FreeBSD_version >= 500000 || defined(__DragonFly__)
-	error = suser(req->td);
+	error = priv_check(req->td, PRIV_ROOT);
 #else
 	error = suser(req->p);
 #endif
diff --git a/sys/netinet/tcp_subr.c b/sys/netinet/tcp_subr.c
index 00bd942..22c33bc 100644
--- a/sys/netinet/tcp_subr.c
+++ b/sys/netinet/tcp_subr.c
@@ -85,6 +85,7 @@
 #include <sys/domain.h>
 #endif
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/socket.h>
 #include <sys/socketvar.h>
 #include <sys/protosw.h>
@@ -1255,7 +1256,7 @@ tcp_getcred(SYSCTL_HANDLER_ARGS)
 	int cpu;
 	int error;
 
-	error = suser(req->td);
+	error = priv_check(req->td, PRIV_ROOT);
 	if (error != 0)
 		return (error);
 	error = SYSCTL_IN(req, addrs, sizeof addrs);
@@ -1288,7 +1289,7 @@ tcp6_getcred(SYSCTL_HANDLER_ARGS)
 	int error;
 	boolean_t mapped = FALSE;
 
-	error = suser(req->td);
+	error = priv_check(req->td, PRIV_ROOT);
 	if (error != 0)
 		return (error);
 	error = SYSCTL_IN(req, addrs, sizeof addrs);
diff --git a/sys/netinet/udp_usrreq.c b/sys/netinet/udp_usrreq.c
index 160df66..b8c5840 100644
--- a/sys/netinet/udp_usrreq.c
+++ b/sys/netinet/udp_usrreq.c
@@ -78,6 +78,7 @@
 #include <sys/mbuf.h>
 #include <sys/domain.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/protosw.h>
 #include <sys/socket.h>
 #include <sys/socketvar.h>
@@ -710,7 +711,7 @@ udp_getcred(SYSCTL_HANDLER_ARGS)
 	struct inpcb *inp;
 	int error;
 
-	error = suser(req->td);
+	error = priv_check(req->td, PRIV_ROOT);
 	if (error)
 		return (error);
 	error = SYSCTL_IN(req, addrs, sizeof addrs);
diff --git a/sys/netinet6/in6.c b/sys/netinet6/in6.c
index 71316a3..b5413da 100644
--- a/sys/netinet6/in6.c
+++ b/sys/netinet6/in6.c
@@ -77,6 +77,7 @@
 #include <sys/sockio.h>
 #include <sys/systm.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/time.h>
 #include <sys/kernel.h>
 #include <sys/syslog.h>
@@ -385,7 +386,7 @@ in6_control(struct socket *so, u_long cmd, caddr_t data,
 	int error;
 
 	privileged = 0;
-	if (suser(td) == 0)
+	if (priv_check(td, PRIV_ROOT) == 0)
 		privileged++;
 
 	switch (cmd) {
diff --git a/sys/netinet6/in6_pcb.c b/sys/netinet6/in6_pcb.c
index 3fa30a6..01dd609 100644
--- a/sys/netinet6/in6_pcb.c
+++ b/sys/netinet6/in6_pcb.c
@@ -83,6 +83,7 @@
 #include <sys/errno.h>
 #include <sys/time.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/jail.h>
 #include <sys/thread2.h>
 
@@ -201,7 +202,7 @@ in6_pcbbind(struct inpcb *inp, struct sockaddr *nam, struct thread *td)
 
 			/* GROSS */
 			if (ntohs(lport) < IPV6PORT_RESERVED && cred &&
-			    suser_cred(cred, PRISON_ROOT))
+			    priv_check_cred(cred, PRIV_ROOT, PRISON_ROOT))
 				return (EACCES);
 			if (so->so_cred->cr_uid != 0 &&
 			    !IN6_IS_ADDR_MULTICAST(&sin6->sin6_addr)) {
diff --git a/sys/netinet6/in6_src.c b/sys/netinet6/in6_src.c
index a6e0904..857edf7 100644
--- a/sys/netinet6/in6_src.c
+++ b/sys/netinet6/in6_src.c
@@ -80,6 +80,7 @@
 #include <sys/errno.h>
 #include <sys/time.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 
 #include <net/if.h>
 #include <net/route.h>
@@ -407,7 +408,7 @@ in6_pcbsetport(struct in6_addr *laddr, struct inpcb *inp, struct thread *td)
 		last  = ipport_hilastauto;
 		lastport = &pcbinfo->lasthi;
 	} else if (inp->inp_flags & INP_LOWPORT) {
-		if ((error = suser(td)) != 0)
+		if ((error = priv_check(td, PRIV_ROOT)) != 0)
 			return error;
 		first = ipport_lowfirstauto;	/* 1023 */
 		last  = ipport_lowlastauto;	/* 600 */
diff --git a/sys/netinet6/ip6_input.c b/sys/netinet6/ip6_input.c
index ab0b7fa..db60924 100644
--- a/sys/netinet6/ip6_input.c
+++ b/sys/netinet6/ip6_input.c
@@ -84,6 +84,7 @@
 #include <sys/kernel.h>
 #include <sys/syslog.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 
 #include <sys/thread2.h>
 #include <sys/msgport2.h>
@@ -1130,7 +1131,7 @@ ip6_savecontrol(struct inpcb *in6p, struct mbuf **mp, struct ip6_hdr *ip6,
 	int rthdr_exist = 0;
 
 
-	if (suser(td) == 0)
+	if (priv_check(td, PRIV_ROOT) == 0)
  		privileged++;
 
 #ifdef SO_TIMESTAMP
diff --git a/sys/netinet6/ip6_output.c b/sys/netinet6/ip6_output.c
index d1c018a..ae788df 100644
--- a/sys/netinet6/ip6_output.c
+++ b/sys/netinet6/ip6_output.c
@@ -81,6 +81,7 @@
 #include <sys/systm.h>
 #include <sys/kernel.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 
 #include <net/if.h>
 #include <net/route.h>
@@ -1395,7 +1396,7 @@ ip6_ctloutput(struct socket *so, struct sockopt *sopt)
 	error = optval = 0;
 
 	uproto = (int)so->so_proto->pr_protocol;
-	privileged = (td == NULL || suser(td)) ? 0 : 1;
+	privileged = (td == NULL || priv_check(td, PRIV_ROOT)) ? 0 : 1;
 
 	if (level == IPPROTO_IPV6) {
 		switch (op) {
@@ -2592,7 +2593,7 @@ ip6_setmoptions(int optname, struct ip6_moptions **im6op, struct mbuf *m)
 			 * all multicast addresses. Only super user is allowed
 			 * to do this.
 			 */
-			if (suser(td))
+			if (priv_check(td, PRIV_ROOT))
 			{
 				error = EACCES;
 				break;
@@ -2695,7 +2696,7 @@ ip6_setmoptions(int optname, struct ip6_moptions **im6op, struct mbuf *m)
 		}
 		mreq = mtod(m, struct ipv6_mreq *);
 		if (IN6_IS_ADDR_UNSPECIFIED(&mreq->ipv6mr_multiaddr)) {
-			if (suser(td)) {
+			if (priv_check(td, PRIV_ROOT)) {
 				error = EACCES;
 				break;
 			}
diff --git a/sys/netinet6/raw_ip6.c b/sys/netinet6/raw_ip6.c
index 34db51b..9294184 100644
--- a/sys/netinet6/raw_ip6.c
+++ b/sys/netinet6/raw_ip6.c
@@ -71,6 +71,7 @@
 #include <sys/param.h>
 #include <sys/malloc.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/mbuf.h>
 #include <sys/socket.h>
 #include <sys/jail.h>
@@ -564,7 +565,7 @@ rip6_attach(struct socket *so, int proto, struct pru_attach_info *ai)
 	inp = so->so_pcb;
 	if (inp)
 		panic("rip6_attach");
-	if ((error = suser_cred(ai->p_ucred, flag)) != 0)
+	if ((error = priv_check_cred(ai->p_ucred, PRIV_ROOT, flag)) != 0)
 		return error;
 
 	error = soreserve(so, rip_sendspace, rip_recvspace, ai->sb_rlimit);
diff --git a/sys/netinet6/udp6_output.c b/sys/netinet6/udp6_output.c
index bdb93c0..810e4e8 100644
--- a/sys/netinet6/udp6_output.c
+++ b/sys/netinet6/udp6_output.c
@@ -81,6 +81,7 @@
 #include <sys/stat.h>
 #include <sys/systm.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/syslog.h>
 
 #include <net/if.h>
@@ -137,7 +138,7 @@ udp6_output(struct in6pcb *in6p, struct mbuf *m, struct sockaddr *addr6,
 	int flags;
 	struct sockaddr_in6 tmp;
 
-	priv = !suser(td);	/* 1 if privilaged, 0 if not */
+	priv = !priv_check(td, PRIV_ROOT);	/* 1 if privilaged, 0 if not */
 	if (control) {
 		if ((error = ip6_setpktoptions(control, &opt,
 		    in6p->in6p_outputopts, 
diff --git a/sys/netinet6/udp6_usrreq.c b/sys/netinet6/udp6_usrreq.c
index ffb4908..0b33627 100644
--- a/sys/netinet6/udp6_usrreq.c
+++ b/sys/netinet6/udp6_usrreq.c
@@ -82,6 +82,7 @@
 #include <sys/systm.h>
 #include <sys/syslog.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/thread2.h>
 
 #include <net/if.h>
@@ -490,7 +491,7 @@ udp6_getcred(SYSCTL_HANDLER_ARGS)
 	struct inpcb *inp;
 	int error;
 
-	error = suser(req->td);
+	error = priv_check(req->td, PRIV_ROOT);
 	if (error)
 		return (error);
 
diff --git a/sys/netproto/802_11/wlan/ieee80211_dragonfly.c b/sys/netproto/802_11/wlan/ieee80211_dragonfly.c
index 89f052d..3af1322 100644
--- a/sys/netproto/802_11/wlan/ieee80211_dragonfly.c
+++ b/sys/netproto/802_11/wlan/ieee80211_dragonfly.c
@@ -38,6 +38,7 @@
 #include <sys/mbuf.h>   
 #include <sys/module.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/sysctl.h>
 
 #include <sys/socket.h>
@@ -321,7 +322,7 @@ ieee80211_load_module(const char *modname)
 #ifdef notyet
 	struct thread *td = curthread;
 
-	if (suser(td) == 0 && securelevel_gt(td->td_ucred, 0) == 0) {
+	if (priv_check(td, PRIV_ROOT) == 0 && securelevel_gt(td->td_ucred, 0) == 0) {
 		crit_enter();	/* NB: need BGL here */
 		linker_load_module(modname, NULL, NULL, NULL, NULL);
 		crit_exit();
diff --git a/sys/netproto/802_11/wlan/ieee80211_ioctl.c b/sys/netproto/802_11/wlan/ieee80211_ioctl.c
index bc02b47..79299c5 100644
--- a/sys/netproto/802_11/wlan/ieee80211_ioctl.c
+++ b/sys/netproto/802_11/wlan/ieee80211_ioctl.c
@@ -44,6 +44,7 @@
 #include <sys/param.h>
 #include <sys/kernel.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/socket.h>
 #include <sys/sockio.h>
 #include <sys/systm.h>
@@ -346,7 +347,7 @@ ieee80211_cfgget(struct ieee80211com *ic, u_long cmd, caddr_t data,
 	case WI_RID_DEFLT_CRYPT_KEYS:
 		keys = (struct wi_ltv_keys *)&wreq;
 		/* do not show keys to non-root user */
-		error = suser_cred(cr, NULL_CRED_OKAY);
+		error = priv_check_cred(cr, PRIV_ROOT, NULL_CRED_OKAY);
 		if (error) {
 			memset(keys, 0, sizeof(*keys));
 			error = 0;
@@ -864,7 +865,7 @@ ieee80211_ioctl_getkey(struct ieee80211com *ic, struct ieee80211req *ireq,
 	ik.ik_flags = wk->wk_flags & (IEEE80211_KEY_XMIT | IEEE80211_KEY_RECV);
 	if (wk->wk_keyix == ic->ic_def_txkey)
 		ik.ik_flags |= IEEE80211_KEY_DEFAULT;
-	if (suser_cred(cr, NULL_CRED_OKAY) == 0) {
+	if (priv_check_cred(cr, PRIV_ROOT, NULL_CRED_OKAY) == 0) {
 		/* NB: only root can read key data */
 		ik.ik_keyrsc = wk->wk_keyrsc;
 		ik.ik_keytsc = wk->wk_keytsc;
@@ -1363,7 +1364,7 @@ ieee80211_ioctl_get80211(struct ieee80211com *ic, u_long cmd,
 			return EINVAL;
 		len = (u_int) ic->ic_nw_keys[kid].wk_keylen;
 		/* NB: only root can read WEP keys */
-		if (suser_cred(cr, NULL_CRED_OKAY) == 0) {
+		if (priv_check_cred(cr, PRIV_ROOT, NULL_CRED_OKAY) == 0) {
 			bcopy(ic->ic_nw_keys[kid].wk_key, tmpkey, len);
 		} else {
 			bzero(tmpkey, len);
@@ -2560,7 +2561,7 @@ ieee80211_ioctl(struct ieee80211com *ic, u_long cmd, caddr_t data,
 				(struct ieee80211req *) data, cr);
 		break;
 	case SIOCS80211:
-		error = suser_cred(cr, NULL_CRED_OKAY);
+		error = priv_check_cred(cr, PRIV_ROOT, NULL_CRED_OKAY);
 		if (error == 0)
 			error = ieee80211_ioctl_set80211(ic, cmd,
 					(struct ieee80211req *) data);
@@ -2569,7 +2570,7 @@ ieee80211_ioctl(struct ieee80211com *ic, u_long cmd, caddr_t data,
 		error = ieee80211_cfgget(ic, cmd, data, cr);
 		break;
 	case SIOCSIFGENERIC:
-		error = suser_cred(cr, NULL_CRED_OKAY);
+		error = priv_check_cred(cr, PRIV_ROOT, NULL_CRED_OKAY);
 		if (error)
 			break;
 		error = ieee80211_cfgset(ic, cmd, data);
diff --git a/sys/netproto/atalk/at_control.c b/sys/netproto/atalk/at_control.c
index eb2b8eb..70d55cd 100644
--- a/sys/netproto/atalk/at_control.c
+++ b/sys/netproto/atalk/at_control.c
@@ -8,6 +8,7 @@
 #include <sys/param.h>
 #include <sys/systm.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/sockio.h>
 #include <sys/malloc.h>
 #include <sys/kernel.h>
@@ -102,7 +103,7 @@ at_control(struct socket *so, u_long cmd, caddr_t data,
 	/* 
 	 * If we are not superuser, then we don't get to do these ops.
 	 */
-	if (suser(td))
+	if (priv_check(td, PRIV_ROOT))
 	    return(EPERM);
 
 	sat = satosat( &ifr->ifr_addr );
diff --git a/sys/netproto/atalk/ddp_usrreq.c b/sys/netproto/atalk/ddp_usrreq.c
index caabf9b..6f9a51d 100644
--- a/sys/netproto/atalk/ddp_usrreq.c
+++ b/sys/netproto/atalk/ddp_usrreq.c
@@ -8,6 +8,7 @@
 #include <sys/param.h>
 #include <sys/systm.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/malloc.h>
 #include <sys/mbuf.h>
 #include <sys/socket.h>
@@ -248,7 +249,7 @@ at_pcbsetaddr(struct ddpcb *ddp, struct sockaddr *addr, struct thread *td)
 		return( EINVAL );
 	    }
 	    if ( sat->sat_port < ATPORT_RESERVED &&
-		 suser(td) ) {
+		 priv_check(td, PRIV_ROOT) ) {
 		return( EACCES );
 	    }
 	}
diff --git a/sys/netproto/atm/atm_usrreq.c b/sys/netproto/atm/atm_usrreq.c
index d8efe7c..8a928fc 100644
--- a/sys/netproto/atm/atm_usrreq.c
+++ b/sys/netproto/atm/atm_usrreq.c
@@ -163,7 +163,7 @@ atm_dgram_control(struct socket *so, u_long cmd, caddr_t data,
 		struct atmcfgreq	*acp = (struct atmcfgreq *)data;
 		struct atm_pif		*pip;
 
-		if (suser(td))
+		if (priv_check(td, PRIV_ROOT))
 			ATM_RETERR(EPERM);
 
 		switch (acp->acr_opcode) {
@@ -196,7 +196,7 @@ atm_dgram_control(struct socket *so, u_long cmd, caddr_t data,
 		struct atmaddreq	*aap = (struct atmaddreq *)data;
 		Atm_endpoint		*epp;
 
-		if (suser(td))
+		if (priv_check(td, PRIV_ROOT))
 			ATM_RETERR(EPERM);
 
 		switch (aap->aar_opcode) {
@@ -246,7 +246,7 @@ atm_dgram_control(struct socket *so, u_long cmd, caddr_t data,
 		struct sigmgr		*smp;
 		Atm_endpoint		*epp;
 
-		if (suser(td))
+		if (priv_check(td, PRIV_ROOT))
 			ATM_RETERR(EPERM);
 
 		switch (adp->adr_opcode) {
@@ -299,7 +299,7 @@ atm_dgram_control(struct socket *so, u_long cmd, caddr_t data,
 		struct sigmgr		*smp;
 		struct ifnet		*ifp2;
 
-		if (suser(td))
+		if (priv_check(td, PRIV_ROOT))
 			ATM_RETERR(EPERM);
 
 		switch (asp->asr_opcode) {
diff --git a/sys/netproto/atm/kern_include.h b/sys/netproto/atm/kern_include.h
index 5a55804..4709a82 100644
--- a/sys/netproto/atm/kern_include.h
+++ b/sys/netproto/atm/kern_include.h
@@ -50,6 +50,7 @@
 #include <sys/errno.h>
 #include <sys/malloc.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/sockio.h>
 #include <sys/time.h>
 #include <sys/kernel.h>
diff --git a/sys/netproto/ipx/ipx.c b/sys/netproto/ipx/ipx.c
index 708d2a7..e7c03b8 100644
--- a/sys/netproto/ipx/ipx.c
+++ b/sys/netproto/ipx/ipx.c
@@ -42,6 +42,7 @@
 #include <sys/malloc.h>
 #include <sys/sockio.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/socket.h>
 #include <sys/thread2.h>
 
@@ -107,7 +108,7 @@ ipx_control(struct socket *so, u_long cmd, caddr_t data,
 		return (0);
 	}
 
-	if ((error = suser(td)) != 0)
+	if ((error = priv_check(td, PRIV_ROOT)) != 0)
 		return (error);
 
 	switch (cmd) {
diff --git a/sys/netproto/ipx/ipx_pcb.c b/sys/netproto/ipx/ipx_pcb.c
index e5c65f2..36be535 100644
--- a/sys/netproto/ipx/ipx_pcb.c
+++ b/sys/netproto/ipx/ipx_pcb.c
@@ -41,6 +41,7 @@
 #include <sys/systm.h>
 #include <sys/malloc.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/socket.h>
 #include <sys/socketvar.h>
 #include <sys/thread2.h>
@@ -97,7 +98,7 @@ ipx_pcbbind(struct ipxpcb *ipxp, struct sockaddr *nam, struct thread *td)
 		int error;
 
 		if (aport < IPXPORT_RESERVED &&
-		    td != NULL && (error = suser(td)) != 0)
+		    td != NULL && (error = priv_check(td, PRIV_ROOT)) != 0)
 			return (error);
 		if (ipx_pcblookup(&zeroipx_addr, lport, 0))
 			return (EADDRINUSE);
diff --git a/sys/netproto/ipx/ipx_usrreq.c b/sys/netproto/ipx/ipx_usrreq.c
index fcda47e..0326f32 100644
--- a/sys/netproto/ipx/ipx_usrreq.c
+++ b/sys/netproto/ipx/ipx_usrreq.c
@@ -44,6 +44,7 @@
 #include <sys/kernel.h>
 #include <sys/mbuf.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/protosw.h>
 #include <sys/socket.h>
 #include <sys/socketvar.h>
@@ -597,7 +598,7 @@ ripx_attach(struct socket *so, int proto, struct pru_attach_info *ai)
 	int error = 0;
 	struct ipxpcb *ipxp = sotoipxpcb(so);
 
-	if ((error = suser_cred(ai->p_ucred, NULL_CRED_OKAY)) != 0)
+	if ((error = priv_check_cred(ai->p_ucred, PRIV_ROOT, NULL_CRED_OKAY)) != 0)
 		return (error);
 	crit_enter();
 	error = ipx_pcballoc(so, &ipxrawpcb);
diff --git a/sys/netproto/ncp/ncp_conn.c b/sys/netproto/ncp/ncp_conn.c
index 3581905..d96473e 100644
--- a/sys/netproto/ncp/ncp_conn.c
+++ b/sys/netproto/ncp/ncp_conn.c
@@ -38,6 +38,7 @@
 #include <sys/kernel.h>
 #include <sys/malloc.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/lock.h>
 #include <sys/sysctl.h>
 
diff --git a/sys/netproto/ncp/ncp_login.c b/sys/netproto/ncp/ncp_login.c
index ea142ce..cf6439a 100644
--- a/sys/netproto/ncp/ncp_login.c
+++ b/sys/netproto/ncp/ncp_login.c
@@ -37,6 +37,7 @@
 #include <sys/malloc.h>
 #include <sys/systm.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/socket.h>
 
 #include "ncp.h"
diff --git a/sys/netproto/ncp/ncp_ncp.c b/sys/netproto/ncp/ncp_ncp.c
index be34147..f39fc8d 100644
--- a/sys/netproto/ncp/ncp_ncp.c
+++ b/sys/netproto/ncp/ncp_ncp.c
@@ -41,6 +41,7 @@
 #include <sys/errno.h>
 #include <sys/systm.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/poll.h>
 #include <sys/signalvar.h>
 #include <sys/signal2.h>
diff --git a/sys/netproto/ncp/ncp_subr.h b/sys/netproto/ncp/ncp_subr.h
index 5aff3fe..9c5f339 100644
--- a/sys/netproto/ncp/ncp_subr.h
+++ b/sys/netproto/ncp/ncp_subr.h
@@ -84,7 +84,7 @@
 
 #define checkbad(fn) {error=(fn);if(error) goto bad;}
 
-#define	ncp_suser(cred)	suser_cred(cred, 0)
+#define	ncp_suser(cred)	priv_check_cred(cred, PRIV_ROOT, 0)
 
 #define ncp_isowner(conn,cred) ((cred)->cr_uid == (conn)->nc_owner->cr_uid)
 
diff --git a/sys/netproto/smb/smb_conn.c b/sys/netproto/smb/smb_conn.c
index 44988f2..383a318 100644
--- a/sys/netproto/smb/smb_conn.c
+++ b/sys/netproto/smb/smb_conn.c
@@ -42,6 +42,7 @@
 #include <sys/kernel.h>
 #include <sys/malloc.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/lock.h>
 #include <sys/sysctl.h>
 #include <sys/socketvar.h>
diff --git a/sys/netproto/smb/smb_subr.h b/sys/netproto/smb/smb_subr.h
index c64e213..7d188f6 100644
--- a/sys/netproto/smb/smb_subr.h
+++ b/sys/netproto/smb/smb_subr.h
@@ -74,7 +74,7 @@ void m_dumpm(struct mbuf *m);
 	 SIGISMEMBER(set, SIGHUP) || SIGISMEMBER(set, SIGKILL) ||	\
 	 SIGISMEMBER(set, SIGQUIT))
 
-#define	smb_suser(cred)	suser_cred(cred, 0)
+#define	smb_suser(cred)	priv_check_cred(cred, PRIV_ROOT, 0)
 
 #include <sys/lock.h>
 #include <sys/spinlock.h>
diff --git a/sys/platform/pc32/gnu/isa/dgb.c b/sys/platform/pc32/gnu/isa/dgb.c
index 196971c..9ad482a 100644
--- a/sys/platform/pc32/gnu/isa/dgb.c
+++ b/sys/platform/pc32/gnu/isa/dgb.c
@@ -52,6 +52,7 @@
 #include <sys/systm.h>
 #include <sys/tty.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/conf.h>
 #include <sys/dkstat.h>
 #include <sys/fcntl.h>
@@ -1020,7 +1021,7 @@ open_top:
 				goto open_top;
 			}
 		}
-		if (tp->t_state & TS_XCLUDE && suser(td)) {
+		if (tp->t_state & TS_XCLUDE && priv_check(td, PRIV_ROOT)) {
 			error = EBUSY;
 			goto out;
 		}
@@ -1505,7 +1506,7 @@ dgbioctl(cdev_t dev, u_long cmd, caddr_t	data, int flag, struct thread *td)
 		}
 		switch (cmd) {
 		case TIOCSETA:
-			error = suser(td);
+			error = priv_check(td, PRIV_ROOT);
 			if (error != 0)
 				return (error);
 			*ct = *(struct termios *)data;
@@ -1727,7 +1728,7 @@ dgbioctl(cdev_t dev, u_long cmd, caddr_t	data, int flag, struct thread *td)
 		break;
 	case TIOCMSDTRWAIT:
 		/* must be root since the wait applies to following logins */
-		error = suser(td);
+		error = priv_check(td, PRIV_ROOT);
 		if (error != 0) {
 			crit_exit();
 			return (error);
diff --git a/sys/platform/pc32/i386/machdep.c b/sys/platform/pc32/i386/machdep.c
index dca29bc..4a90a14 100644
--- a/sys/platform/pc32/i386/machdep.c
+++ b/sys/platform/pc32/i386/machdep.c
@@ -64,6 +64,7 @@
 #include <sys/linker.h>
 #include <sys/malloc.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/buf.h>
 #include <sys/reboot.h>
 #include <sys/mbuf.h>
@@ -2417,7 +2418,7 @@ set_dbregs(struct lwp *lp, struct dbreg *dbregs)
 		 * from within kernel mode?
 		 */
 
-		if (suser_cred(ucred, 0) != 0) {
+		if (priv_check_cred(ucred, PRIV_ROOT, 0) != 0) {
 			if (dbregs->dr7 & 0x3) {
 				/* dr0 is enabled */
 				if (dbregs->dr0 >= VM_MAX_USER_ADDRESS)
diff --git a/sys/platform/pc32/i386/sys_machdep.c b/sys/platform/pc32/i386/sys_machdep.c
index 5e649fe..a179d70 100644
--- a/sys/platform/pc32/i386/sys_machdep.c
+++ b/sys/platform/pc32/i386/sys_machdep.c
@@ -42,6 +42,7 @@
 #include <sys/malloc.h>
 #include <sys/thread.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/thread.h>
 #include <sys/memrange.h>
 
@@ -173,7 +174,7 @@ ki386_set_ioperm(struct lwp *lp, char *args)
 	if ((error = copyin(args, &ua, sizeof(struct i386_ioperm_args))) != 0)
 		return (error);
 
-	if ((error = suser_cred(lp->lwp_proc->p_ucred, 0)) != 0)
+	if ((error = priv_check_cred(lp->lwp_proc->p_ucred, PRIV_ROOT, 0)) != 0)
 		return (error);
 	if (securelevel > 0)
 		return (EPERM);
diff --git a/sys/platform/pc32/i386/vm86.c b/sys/platform/pc32/i386/vm86.c
index 9fd6659..1d88690 100644
--- a/sys/platform/pc32/i386/vm86.c
+++ b/sys/platform/pc32/i386/vm86.c
@@ -32,6 +32,7 @@
 #include <sys/systm.h>
 #include <sys/kernel.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/lock.h>
 #include <sys/malloc.h>
 #include <sys/sysctl.h>
@@ -772,7 +773,7 @@ vm86_sysarch(struct lwp *lp, char *args)
 	case VM86_INTCALL: {
 		struct vm86_intcall_args sa;
 
-		if ((error = suser_cred(lp->lwp_proc->p_ucred, 0)))
+		if ((error = priv_check_cred(lp->lwp_proc->p_ucred, PRIV_ROOT, 0)))
 			return (error);
 		if ((error = copyin(ua.sub_args, &sa, sizeof(sa))))
 			return (error);
diff --git a/sys/platform/pc64/amd64/machdep.c b/sys/platform/pc64/amd64/machdep.c
index 6065f0b..ba4a3e0 100644
--- a/sys/platform/pc64/amd64/machdep.c
+++ b/sys/platform/pc64/amd64/machdep.c
@@ -62,6 +62,7 @@
 #include <sys/linker.h>
 #include <sys/malloc.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/buf.h>
 #include <sys/reboot.h>
 #include <sys/mbuf.h>
@@ -2238,7 +2239,7 @@ set_dbregs(struct lwp *lp, struct dbreg *dbregs)
 		 * from within kernel mode?
 		 */
 
-		if (suser_cred(ucred, 0) != 0) {
+		if (priv_check_cred(ucred, PRIV_ROOT, 0) != 0) {
 #if JG
 			if (dbregs->dr7 & 0x3) {
 				/* dr0 is enabled */
diff --git a/sys/vfs/gnu/ext2fs/ext2_vfsops.c b/sys/vfs/gnu/ext2fs/ext2_vfsops.c
index eb4adf5..436736c 100644
--- a/sys/vfs/gnu/ext2fs/ext2_vfsops.c
+++ b/sys/vfs/gnu/ext2fs/ext2_vfsops.c
@@ -47,6 +47,7 @@
 #include <sys/systm.h>
 #include <sys/nlookup.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/kernel.h>
 #include <sys/vnode.h>
 #include <sys/mount.h>
@@ -169,7 +170,7 @@ ext2_quotactl(struct mount *mp, int cmds, uid_t uid, caddr_t arg,
 			break;
 		/* fall through */
 	default:
-		if ((error = suser_cred(cred, PRISON_ROOT)) != 0)
+		if ((error = priv_check_cred(cred, PRIV_ROOT, PRISON_ROOT)) != 0)
 			return (error);
 	}
 
diff --git a/sys/vfs/gnu/ext2fs/ext2_vnops.c b/sys/vfs/gnu/ext2fs/ext2_vnops.c
index 9db9c10..3b79b1d 100644
--- a/sys/vfs/gnu/ext2fs/ext2_vnops.c
+++ b/sys/vfs/gnu/ext2fs/ext2_vnops.c
@@ -59,6 +59,7 @@
 #include <sys/buf.h>
 #include <sys/stat.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/mount.h>
 #include <sys/time.h>
 #include <sys/vnode.h>
@@ -1202,7 +1203,7 @@ ext2_makeinode(int mode, struct vnode *dvp, struct vnode **vpp,
 	tvp->v_type = IFTOVT(mode);	/* Rest init'd in getnewvnode(). */
 	ip->i_nlink = 1;
 	if ((ip->i_mode & ISGID) && !groupmember(ip->i_gid, cnp->cn_cred) &&
-	    suser_cred(cnp->cn_cred, PRISON_ROOT))
+	    priv_check_cred(cnp->cn_cred, PRIV_ROOT, PRISON_ROOT))
 		ip->i_mode &= ~ISGID;
 
 	if (cnp->cn_flags & CNP_ISWHITEOUT)
@@ -1479,7 +1480,7 @@ ext2_setattr(struct vop_setattr_args *ap)
 		if (vp->v_mount->mnt_flag & MNT_RDONLY)
 			return (EROFS);
 		if (cred->cr_uid != ip->i_uid &&
-		    (error = suser_cred(cred, PRISON_ROOT)))
+		    (error = priv_check_cred(cred, PRIV_ROOT, PRISON_ROOT)))
 			return (error);
 		/*
 		 * Note that a root chflags becomes a user chflags when
@@ -1541,7 +1542,7 @@ ext2_setattr(struct vop_setattr_args *ap)
 		if (vp->v_mount->mnt_flag & MNT_RDONLY)
 			return (EROFS);
 		if (cred->cr_uid != ip->i_uid &&
-		    (error = suser_cred(cred, PRISON_ROOT)) &&
+		    (error = priv_check_cred(cred, PRIV_ROOT, PRISON_ROOT)) &&
 		    ((vap->va_vaflags & VA_UTIMES_NULL) == 0 ||
 		    (error = VOP_ACCESS(vp, VWRITE, cred))))
 			return (error);
@@ -1583,7 +1584,7 @@ ext2_chmod(struct vnode *vp, int mode, struct ucred *cred)
 	int error;
 
 	if (cred->cr_uid != ip->i_uid) {
-	    error = suser_cred(cred, PRISON_ROOT);
+	    error = priv_check_cred(cred, PRIV_ROOT, PRISON_ROOT);
 	    if (error)
 		return (error);
 	}
@@ -1627,7 +1628,7 @@ ext2_chown(struct vnode *vp, uid_t uid, gid_t gid, struct ucred *cred)
 	if ((cred->cr_uid != ip->i_uid || uid != ip->i_uid ||
 	    (gid != ip->i_gid && !(cred->cr_gid == gid ||
 	    groupmember((gid_t)gid, cred)))) &&
-	    (error = suser_cred(cred, PRISON_ROOT)))
+	    (error = priv_check_cred(cred, PRIV_ROOT, PRISON_ROOT)))
 		return (error);
 	ogid = ip->i_gid;
 	ouid = ip->i_uid;
diff --git a/sys/vfs/hammer/hammer.h b/sys/vfs/hammer/hammer.h
index d1055c3..3c9c7b9 100644
--- a/sys/vfs/hammer/hammer.h
+++ b/sys/vfs/hammer/hammer.h
@@ -49,6 +49,7 @@
 #include <sys/mountctl.h>
 #include <sys/vnode.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/stat.h>
 #include <sys/globaldata.h>
 #include <sys/lockf.h>
diff --git a/sys/vfs/hammer/hammer_ioctl.c b/sys/vfs/hammer/hammer_ioctl.c
index f5dc870..42a6ea4 100644
--- a/sys/vfs/hammer/hammer_ioctl.c
+++ b/sys/vfs/hammer/hammer_ioctl.c
@@ -54,7 +54,7 @@ hammer_ioctl(hammer_inode_t ip, u_long com, caddr_t data, int fflag,
 	struct hammer_transaction trans;
 	int error;
 
-	error = suser_cred(cred, PRISON_ROOT);
+	error = priv_check_cred(cred, PRIV_ROOT, PRISON_ROOT);
 
 	hammer_start_transaction(&trans, ip->hmp);
 
diff --git a/sys/vfs/hpfs/hpfs_vnops.c b/sys/vfs/hpfs/hpfs_vnops.c
index b435139..08469b6 100644
--- a/sys/vfs/hpfs/hpfs_vnops.c
+++ b/sys/vfs/hpfs/hpfs_vnops.c
@@ -31,6 +31,7 @@
 #include <sys/systm.h>
 #include <sys/kernel.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/time.h>
 #include <sys/types.h>
 #include <sys/stat.h>
@@ -524,7 +525,7 @@ hpfs_setattr(struct vop_setattr_args *ap)
 		if (vp->v_mount->mnt_flag & MNT_RDONLY)
 			return (EROFS);
 		if (cred->cr_uid != hp->h_uid &&
-		    (error = suser_cred(cred, PRISON_ROOT)) &&
+		    (error = priv_check_cred(cred, PRIV_ROOT, PRISON_ROOT)) &&
 		    ((vap->va_vaflags & VA_UTIMES_NULL) == 0 ||
 		    (error = VOP_ACCESS(vp, VWRITE, cred))))
 			return (error);
diff --git a/sys/vfs/isofs/cd9660/cd9660_vfsops.c b/sys/vfs/isofs/cd9660/cd9660_vfsops.c
index cc13d99..ebd8097 100644
--- a/sys/vfs/isofs/cd9660/cd9660_vfsops.c
+++ b/sys/vfs/isofs/cd9660/cd9660_vfsops.c
@@ -43,6 +43,7 @@
 #include <sys/param.h>
 #include <sys/systm.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/nlookup.h>
 #include <sys/kernel.h>
 #include <sys/vnode.h>
@@ -231,7 +232,7 @@ cd9660_mount(struct mount *mp, char *path, caddr_t data, struct ucred *cred)
 	vn_lock(devvp, LK_EXCLUSIVE | LK_RETRY);
 	error = VOP_ACCESS(devvp, accessmode, cred);
 	if (error) 
-		error = suser_cred(cred, 0);
+		error = priv_check_cred(cred, PRIV_ROOT, 0);
 	if (error) {
 		vput(devvp);
 		return (error);
diff --git a/sys/vfs/msdosfs/msdosfs_vnops.c b/sys/vfs/msdosfs/msdosfs_vnops.c
index c5225f9..3a2127c 100644
--- a/sys/vfs/msdosfs/msdosfs_vnops.c
+++ b/sys/vfs/msdosfs/msdosfs_vnops.c
@@ -56,6 +56,7 @@
 #include <sys/stat.h>
 #include <sys/buf.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/namei.h>
 #include <sys/mount.h>
 #include <sys/unistd.h>
@@ -415,7 +416,7 @@ msdosfs_setattr(struct vop_setattr_args *ap)
 		if (vp->v_mount->mnt_flag & MNT_RDONLY)
 			return (EROFS);
 		if (cred->cr_uid != pmp->pm_uid &&
-		    (error = suser_cred(cred, PRISON_ROOT)))
+		    (error = priv_check_cred(cred, PRIV_ROOT, PRISON_ROOT)))
 			return (error);
 		/*
 		 * We are very inconsistent about handling unsupported
@@ -456,7 +457,7 @@ msdosfs_setattr(struct vop_setattr_args *ap)
 			gid = pmp->pm_gid;
 		if ((cred->cr_uid != pmp->pm_uid || uid != pmp->pm_uid ||
 		    (gid != pmp->pm_gid && !groupmember(gid, cred))) &&
-		    (error = suser_cred(cred, PRISON_ROOT)))
+		    (error = priv_check_cred(cred, PRIV_ROOT, PRISON_ROOT)))
 			return error;
 		if (uid != pmp->pm_uid || gid != pmp->pm_gid)
 			return EINVAL;
@@ -488,7 +489,7 @@ msdosfs_setattr(struct vop_setattr_args *ap)
 		if (vp->v_mount->mnt_flag & MNT_RDONLY)
 			return (EROFS);
 		if (cred->cr_uid != pmp->pm_uid &&
-		    (error = suser_cred(cred, PRISON_ROOT)) &&
+		    (error = priv_check_cred(cred, PRIV_ROOT, PRISON_ROOT)) &&
 		    ((vap->va_vaflags & VA_UTIMES_NULL) == 0 ||
 		    (error = VOP_ACCESS(ap->a_vp, VWRITE, cred))))
 			return (error);
@@ -517,7 +518,7 @@ msdosfs_setattr(struct vop_setattr_args *ap)
 		if (vp->v_mount->mnt_flag & MNT_RDONLY)
 			return (EROFS);
 		if (cred->cr_uid != pmp->pm_uid &&
-		    (error = suser_cred(cred, PRISON_ROOT)))
+		    (error = priv_check_cred(cred, PRIV_ROOT, PRISON_ROOT)))
 			return (error);
 		if (vp->v_type != VDIR) {
 			/* We ignore the read and execute bits. */
diff --git a/sys/vfs/nfs/nfs_serv.c b/sys/vfs/nfs/nfs_serv.c
index 8a8f7d3..c56cc07 100644
--- a/sys/vfs/nfs/nfs_serv.c
+++ b/sys/vfs/nfs/nfs_serv.c
@@ -66,6 +66,7 @@
 #include <sys/param.h>
 #include <sys/systm.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/nlookup.h>
 #include <sys/namei.h>
 #include <sys/unistd.h>
@@ -1692,7 +1693,7 @@ nfsrv_create(struct nfsrv_descript *nfsd, struct nfssvc_sock *slp,
 			if (vap->va_type == VCHR && rdev == 0xffffffff)
 				vap->va_type = VFIFO;
                         if (vap->va_type != VFIFO &&
-                            (error = suser_cred(cred, 0))) {
+                            (error = priv_check_cred(cred, PRIV_ROOT, 0))) {
 				goto nfsmreply0;
                         }
 			vap->va_rmajor = umajor(rdev);
@@ -1891,7 +1892,7 @@ nfsrv_mknod(struct nfsrv_descript *nfsd, struct nfssvc_sock *slp,
 		vrele(dvp);
 		dvp = NULL;
 	} else {
-		if (vtyp != VFIFO && (error = suser_cred(cred, 0)))
+		if (vtyp != VFIFO && (error = priv_check_cred(cred, PRIV_ROOT, 0)))
 			goto out;
 
 		vn_unlock(dvp);
diff --git a/sys/vfs/nfs/nfs_syscalls.c b/sys/vfs/nfs/nfs_syscalls.c
index 1e14b61..ef361d2 100644
--- a/sys/vfs/nfs/nfs_syscalls.c
+++ b/sys/vfs/nfs/nfs_syscalls.c
@@ -49,6 +49,7 @@
 #include <sys/malloc.h>
 #include <sys/mount.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/buf.h>
 #include <sys/mbuf.h>
 #include <sys/resourcevar.h>
@@ -152,7 +153,7 @@ sys_nfssvc(struct nfssvc_args *uap)
 	/*
 	 * Must be super user
 	 */
-	error = suser(td);
+	error = priv_check(td, PRIV_ROOT);
 	if(error)
 		return (error);
 	KKASSERT(td->td_proc);	/* for ucred and p_fd */
diff --git a/sys/vfs/procfs/procfs.h b/sys/vfs/procfs/procfs.h
index 2d565ed..6602700 100644
--- a/sys/vfs/procfs/procfs.h
+++ b/sys/vfs/procfs/procfs.h
@@ -99,7 +99,7 @@ struct pfsnode {
        ((p1)->p_ucred->cr_ruid == (p2)->p_ucred->cr_ruid) && \
        ((p1)->p_ucred->cr_svuid == (p2)->p_ucred->cr_ruid) && \
        ((p2)->p_flag & (P_SUGID|P_INEXEC)) == 0) || \
-      (suser_cred((p1)->p_ucred, PRISON_ROOT) == 0))
+      (priv_check_cred((p1)->p_ucred, PRIV_ROOT, PRISON_ROOT) == 0))
 
 /*
  * Convert between pfsnode vnode
diff --git a/sys/vfs/procfs/procfs_vnops.c b/sys/vfs/procfs/procfs_vnops.c
index 6da9a4a..d7b26c0 100644
--- a/sys/vfs/procfs/procfs_vnops.c
+++ b/sys/vfs/procfs/procfs_vnops.c
@@ -51,6 +51,7 @@
 #include <sys/lock.h>
 #include <sys/fcntl.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/signalvar.h>
 #include <sys/vnode.h>
 #include <sys/uio.h>
@@ -290,7 +291,7 @@ procfs_ioctl(struct vop_ioctl_args *ap)
 	   */
 #define NFLAGS	(PF_ISUGID)
 	  flags = (unsigned char)*(unsigned int*)ap->a_data;
-	  if (flags & NFLAGS && (error = suser_cred(ap->a_cred, 0)))
+	  if (flags & NFLAGS && (error = priv_check_cred(ap->a_cred, PRIV_ROOT, 0)))
 	    return error;
 	  procp->p_pfsflags = flags;
 	  break;
diff --git a/sys/vfs/smbfs/smbfs_vnops.c b/sys/vfs/smbfs/smbfs_vnops.c
index 4138e8e..e3a5068 100644
--- a/sys/vfs/smbfs/smbfs_vnops.c
+++ b/sys/vfs/smbfs/smbfs_vnops.c
@@ -36,6 +36,7 @@
 #include <sys/systm.h>
 #include <sys/kernel.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/namei.h>
 #include <sys/fcntl.h>
 #include <sys/mount.h>
@@ -365,7 +366,7 @@ smbfs_setattr(struct vop_setattr_args *ap)
 		atime = &vap->va_atime;
 	if (mtime != atime) {
 		if (ap->a_cred->cr_uid != VTOSMBFS(vp)->sm_args.uid &&
-		    (error = suser_cred(ap->a_cred, PRISON_ROOT)) &&
+		    (error = priv_check_cred(ap->a_cred, PRIV_ROOT, PRISON_ROOT)) &&
 		    ((vap->va_vaflags & VA_UTIMES_NULL) == 0 ||
 		    (error = VOP_ACCESS(vp, VWRITE, ap->a_cred))))
 			return (error);
diff --git a/sys/vfs/udf/udf_vfsops.c b/sys/vfs/udf/udf_vfsops.c
index a00c9ed..a36021b 100644
--- a/sys/vfs/udf/udf_vfsops.c
+++ b/sys/vfs/udf/udf_vfsops.c
@@ -85,6 +85,7 @@
 #include <sys/mount.h>
 #include <sys/nlookup.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/queue.h>
 #include <sys/vnode.h>
 
@@ -174,7 +175,7 @@ udf_mount(struct mount *mp, char *path, caddr_t data, struct ucred *cred)
 	vn_lock(devvp, LK_EXCLUSIVE | LK_RETRY);
 	error = VOP_ACCESS(devvp, VREAD, cred);
 	if (error)
-		error = suser_cred(cred, 0);
+		error = priv_check_cred(cred, PRIV_ROOT, 0);
 	if (error) {
 		vput(devvp);
 		return(error);
diff --git a/sys/vfs/ufs/ufs_vfsops.c b/sys/vfs/ufs/ufs_vfsops.c
index f9de890..0a2b00a 100644
--- a/sys/vfs/ufs/ufs_vfsops.c
+++ b/sys/vfs/ufs/ufs_vfsops.c
@@ -46,6 +46,7 @@
 #include <sys/kernel.h>
 #include <sys/mount.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/malloc.h>
 #include <sys/vnode.h>
 
@@ -107,7 +108,7 @@ ufs_quotactl(struct mount *mp, int cmds, uid_t uid, caddr_t arg,
 			break;
 		/* fall through */
 	default:
-		if ((error = suser_cred(cred, PRISON_ROOT)) != 0)
+		if ((error = priv_check_cred(cred, PRIV_ROOT, PRISON_ROOT)) != 0)
 			return (error);
 	}
 
diff --git a/sys/vfs/ufs/ufs_vnops.c b/sys/vfs/ufs/ufs_vnops.c
index b73b016..bfcf178 100644
--- a/sys/vfs/ufs/ufs_vnops.c
+++ b/sys/vfs/ufs/ufs_vnops.c
@@ -51,6 +51,7 @@
 #include <sys/stat.h>
 #include <sys/buf.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/namei.h>
 #include <sys/mount.h>
 #include <sys/unistd.h>
@@ -472,7 +473,7 @@ ufs_setattr(struct vop_setattr_args *ap)
 		if (vp->v_mount->mnt_flag & MNT_RDONLY)
 			return (EROFS);
 		if (cred->cr_uid != ip->i_uid &&
-		    (error = suser_cred(cred, PRISON_ROOT)))
+		    (error = priv_check_cred(cred, PRIV_ROOT, PRISON_ROOT)))
 			return (error);
 		/*
 		 * Note that a root chflags becomes a user chflags when
@@ -534,7 +535,7 @@ ufs_setattr(struct vop_setattr_args *ap)
 		if (vp->v_mount->mnt_flag & MNT_RDONLY)
 			return (EROFS);
 		if (cred->cr_uid != ip->i_uid &&
-		    (error = suser_cred(cred, PRISON_ROOT)) &&
+		    (error = priv_check_cred(cred, PRIV_ROOT, PRISON_ROOT)) &&
 		    ((vap->va_vaflags & VA_UTIMES_NULL) == 0 ||
 		    (error = VOP_ACCESS(vp, VWRITE, cred))))
 			return (error);
@@ -576,7 +577,7 @@ ufs_chmod(struct vnode *vp, int mode, struct ucred *cred)
 	int error;
 
 	if (cred->cr_uid != ip->i_uid) {
-	    error = suser_cred(cred, PRISON_ROOT);
+	    error = priv_check_cred(cred, PRIV_ROOT, PRISON_ROOT);
 	    if (error)
 		return (error);
 	}
@@ -620,7 +621,7 @@ ufs_chown(struct vnode *vp, uid_t uid, gid_t gid, struct ucred *cred)
 	if ((cred->cr_uid != ip->i_uid || uid != ip->i_uid ||
 	    (gid != ip->i_gid && !(cred->cr_gid == gid ||
 	    groupmember((gid_t)gid, cred)))) &&
-	    (error = suser_cred(cred, PRISON_ROOT)))
+	    (error = priv_check_cred(cred, PRIV_ROOT, PRISON_ROOT)))
 		return (error);
 	ogid = ip->i_gid;
 	ouid = ip->i_uid;
@@ -2189,7 +2190,7 @@ ufs_makeinode(int mode, struct vnode *dvp, struct vnode **vpp,
 	if (DOINGSOFTDEP(tvp))
 		softdep_change_linkcnt(ip);
 	if ((ip->i_mode & ISGID) && !groupmember(ip->i_gid, cnp->cn_cred) &&
-	    suser_cred(cnp->cn_cred, 0)) {
+	    priv_check_cred(cnp->cn_cred, PRIV_ROOT, 0)) {
 		ip->i_mode &= ~ISGID;
 	}
 
diff --git a/sys/vm/vm_mmap.c b/sys/vm/vm_mmap.c
index 758d844..cfe56ef 100644
--- a/sys/vm/vm_mmap.c
+++ b/sys/vm/vm_mmap.c
@@ -53,6 +53,7 @@
 #include <sys/filedesc.h>
 #include <sys/kern_syscall.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/resource.h>
 #include <sys/resourcevar.h>
 #include <sys/vnode.h>
@@ -332,7 +333,7 @@ kern_mmap(struct vmspace *vms, caddr_t uaddr, size_t ulen,
 			if (securelevel >= 1)
 				disablexworkaround = 1;
 			else
-				disablexworkaround = suser(td);
+				disablexworkaround = priv_check(td, PRIV_ROOT);
 			if (vp->v_type == VCHR && disablexworkaround &&
 			    (flags & (MAP_PRIVATE|MAP_COPY))) {
 				error = EINVAL;
@@ -909,7 +910,7 @@ sys_mlock(struct mlock_args *uap)
 	    p->p_rlimit[RLIMIT_MEMLOCK].rlim_cur)
 		return (ENOMEM);
 #else
-	error = suser_cred(p->p_ucred, 0);
+	error = priv_check_cred(p->p_ucred, PRIV_ROOT, 0);
 	if (error)
 		return (error);
 #endif
@@ -961,7 +962,7 @@ sys_munlock(struct munlock_args *uap)
 		return (EINVAL);
 
 #ifndef pmap_wired_count
-	error = suser(td);
+	error = priv_check(td, PRIV_ROOT);
 	if (error)
 		return (error);
 #endif
diff --git a/sys/vm/vm_swap.c b/sys/vm/vm_swap.c
index 10c29f2..4bbc472 100644
--- a/sys/vm/vm_swap.c
+++ b/sys/vm/vm_swap.c
@@ -42,6 +42,7 @@
 #include <sys/sysproto.h>
 #include <sys/buf.h>
 #include <sys/proc.h>
+#include <sys/priv.h>
 #include <sys/nlookup.h>
 #include <sys/dmap.h>		/* XXX */
 #include <sys/vnode.h>
@@ -183,7 +184,7 @@ sys_swapon(struct swapon_args *uap)
 	KKASSERT(td->td_proc);
 	cred = td->td_proc->p_ucred;
 
-	error = suser(td);
+	error = priv_check(td, PRIV_ROOT);
 	if (error)
 		return (error);
 

commit 9da9ad534cdad16661a7143ec63b3f70574b76d5
Author: Michael Neumann <mneumann@ntecs.de>
Date:   Mon Dec 15 01:09:25 2008 +0000

    Implement priv_check() and priv_check_cred()

diff --git a/sys/kern/kern_prot.c b/sys/kern/kern_prot.c
index 6ec0fe8..bcf03ff 100644
--- a/sys/kern/kern_prot.c
+++ b/sys/kern/kern_prot.c
@@ -861,6 +861,28 @@ suser_cred(struct ucred *cred, int flag)
 }
 
 /*
+ * Check for privilege.
+ *
+ * YYY: For now this is just a wrapper calling suser().
+ */
+int
+priv_check(struct thread *td, int priv)
+{
+  return suser(td);
+}
+
+/*
+ * Check a credential for privilege.
+ *
+ * YYY: For now this is just a wrapper calling suser_cred().
+ */
+int
+priv_check_cred(struct ucred *cred, int priv, int flags)
+{
+  return suser_cred(cred, flags);
+}
+
+/*
  * Return zero if p1 can fondle p2, return errno (EPERM/ESRCH) otherwise.
  */
 int

commit 535425c00eedd2d8d51e03cbd4696e6efde078bf
Author: Michael Neumann <mneumann@ntecs.de>
Date:   Mon Dec 15 00:57:45 2008 +0000

    Import sys/priv.h (rev 1.25) from FreeBSD

diff --git a/sys/sys/priv.h b/sys/sys/priv.h
new file mode 100644
index 0000000..1d19441
--- /dev/null
+++ b/sys/sys/priv.h
@@ -0,0 +1,490 @@
+/*-
+ * Copyright (c) 2006 nCircle Network Security, Inc.
+ * All rights reserved.
+ *
+ * This software was developed by Robert N. M. Watson for the TrustedBSD
+ * Project under contract to nCircle Network Security, Inc.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR, NCIRCLE NETWORK SECURITY,
+ * INC., OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
+ * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
+ * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
+ * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
+ * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ * $FreeBSD: src/sys/sys/priv.h,v 1.25 2008/11/17 20:49:29 pjd Exp $
+ */
+
+/*
+ * Privilege checking interface for BSD kernel.
+ */
+#ifndef _SYS_PRIV_H_
+#define	_SYS_PRIV_H_
+
+/*
+ * Privilege list, sorted loosely by kernel subsystem.
+ *
+ * Think carefully before adding or reusing one of these privileges -- are
+ * there existing instances referring to the same privilege?  Third party
+ * vendors may request the assignment of privileges to be used in loadable
+ * modules.  Particular numeric privilege assignments are part of the
+ * loadable kernel module ABI, and should not be changed across minor
+ * releases.
+ *
+ * When adding a new privilege, remember to determine if it's appropriate for
+ * use in jail, and update the privilege switch in kern_jail.c as necessary.
+ */
+
+/*
+ * Track beginning of privilege list.
+ */
+#define	_PRIV_LOWEST	0
+
+/*
+ * PRIV_ROOT is a catch-all for as yet unnamed privileges.  No new
+ * references to this privilege should be added.
+ */
+#define	PRIV_ROOT	1	/* Catch-all during development. */
+
+/*
+ * The remaining privileges typically correspond to one or a small
+ * number of specific privilege checks, and have (relatively) precise
+ * meanings.  They are loosely sorted into a set of base system
+ * privileges, such as the ability to reboot, and then loosely by
+ * subsystem, indicated by a subsystem name.
+ */
+#define	PRIV_ACCT		2	/* Manage process accounting. */
+#define	PRIV_MAXFILES		3	/* Exceed system open files limit. */
+#define	PRIV_MAXPROC		4	/* Exceed system processes limit. */
+#define	PRIV_KTRACE		5	/* Set/clear KTRFAC_ROOT on ktrace. */
+#define	PRIV_SETDUMPER		6	/* Configure dump device. */
+#define	PRIV_REBOOT		8	/* Can reboot system. */
+#define	PRIV_SWAPON		9	/* Can swapon(). */
+#define	PRIV_SWAPOFF		10	/* Can swapoff(). */
+#define	PRIV_MSGBUF		11	/* Can read kernel message buffer. */
+#define	PRIV_IO			12	/* Can perform low-level I/O. */
+#define	PRIV_KEYBOARD		13	/* Reprogram keyboard. */
+#define	PRIV_DRIVER		14	/* Low-level driver privilege. */
+#define	PRIV_ADJTIME		15	/* Set time adjustment. */
+#define	PRIV_NTP_ADJTIME	16	/* Set NTP time adjustment. */
+#define	PRIV_CLOCK_SETTIME	17	/* Can call clock_settime. */
+#define	PRIV_SETTIMEOFDAY	18	/* Can call settimeofday. */
+#define	PRIV_SETHOSTID		19	/* Can call sethostid. */
+#define	_PRIV_SETDOMAINNAME	20	/* Removed. */
+
+/*
+ * Audit subsystem privileges.
+ */
+#define	PRIV_AUDIT_CONTROL	40	/* Can configure audit. */
+#define	PRIV_AUDIT_FAILSTOP	41	/* Can run during audit fail stop. */
+#define	PRIV_AUDIT_GETAUDIT	42	/* Can get proc audit properties. */
+#define	PRIV_AUDIT_SETAUDIT	43	/* Can set proc audit properties. */
+#define	PRIV_AUDIT_SUBMIT	44	/* Can submit an audit record. */
+
+/*
+ * Credential management privileges.
+ */
+#define	PRIV_CRED_SETUID	50	/* setuid. */
+#define	PRIV_CRED_SETEUID	51	/* seteuid to !ruid and !svuid. */
+#define	PRIV_CRED_SETGID	52	/* setgid. */
+#define	PRIV_CRED_SETEGID	53	/* setgid to !rgid and !svgid. */
+#define	PRIV_CRED_SETGROUPS	54	/* Set process additional groups. */
+#define	PRIV_CRED_SETREUID	55	/* setreuid. */
+#define	PRIV_CRED_SETREGID	56	/* setregid. */
+#define	PRIV_CRED_SETRESUID	57	/* setresuid. */
+#define	PRIV_CRED_SETRESGID	58	/* setresgid. */
+#define	PRIV_SEEOTHERGIDS	59	/* Exempt bsd.seeothergids. */
+#define	PRIV_SEEOTHERUIDS	60	/* Exempt bsd.seeotheruids. */
+
+/*
+ * Debugging privileges.
+ */
+#define	PRIV_DEBUG_DIFFCRED	80	/* Exempt debugging other users. */
+#define	PRIV_DEBUG_SUGID	81	/* Exempt debugging setuid proc. */
+#define	PRIV_DEBUG_UNPRIV	82	/* Exempt unprivileged debug limit. */
+
+/*
+ * Dtrace privileges.
+ */
+#define	PRIV_DTRACE_KERNEL	90	/* Allow use of DTrace on the kernel. */
+#define	PRIV_DTRACE_PROC	91	/* Allow attaching DTrace to process. */
+#define	PRIV_DTRACE_USER	92	/* Process may submit DTrace events. */
+
+/*
+ * Firmware privilegs.
+ */
+#define	PRIV_FIRMWARE_LOAD	100	/* Can load firmware. */
+
+/*
+ * Jail privileges.
+ */
+#define	PRIV_JAIL_ATTACH	110	/* Attach to a jail. */
+
+/*
+ * Kernel environment priveleges.
+ */
+#define	PRIV_KENV_SET		120	/* Set kernel env. variables. */
+#define	PRIV_KENV_UNSET		121	/* Unset kernel env. variables. */
+
+/*
+ * Loadable kernel module privileges.
+ */
+#define	PRIV_KLD_LOAD		130	/* Load a kernel module. */
+#define	PRIV_KLD_UNLOAD		131	/* Unload a kernel module. */
+
+/*
+ * Privileges associated with the MAC Framework and specific MAC policy
+ * modules.
+ */
+#define	PRIV_MAC_PARTITION	140	/* Privilege in mac_partition policy. */
+#define	PRIV_MAC_PRIVS		141	/* Privilege in the mac_privs policy. */
+
+/*
+ * Process-related privileges.
+ */
+#define	PRIV_PROC_LIMIT		160	/* Exceed user process limit. */
+#define	PRIV_PROC_SETLOGIN	161	/* Can call setlogin. */
+#define	PRIV_PROC_SETRLIMIT	162	/* Can raise resources limits. */
+
+/* System V IPC privileges.
+ */
+#define	PRIV_IPC_READ		170	/* Can override IPC read perm. */
+#define	PRIV_IPC_WRITE		171	/* Can override IPC write perm. */
+#define	PRIV_IPC_ADMIN		172	/* Can override IPC owner-only perm. */
+#define	PRIV_IPC_MSGSIZE	173	/* Exempt IPC message queue limit. */
+
+/*
+ * POSIX message queue privileges.
+ */
+#define	PRIV_MQ_ADMIN		180	/* Can override msgq owner-only perm. */
+
+/*
+ * Performance monitoring counter privileges.
+ */
+#define	PRIV_PMC_MANAGE		190	/* Can administer PMC. */
+#define	PRIV_PMC_SYSTEM		191	/* Can allocate a system-wide PMC. */
+
+/*
+ * Scheduling privileges.
+ */
+#define	PRIV_SCHED_DIFFCRED	200	/* Exempt scheduling other users. */
+#define	PRIV_SCHED_SETPRIORITY	201	/* Can set lower nice value for proc. */
+#define	PRIV_SCHED_RTPRIO	202	/* Can set real time scheduling. */
+#define	PRIV_SCHED_SETPOLICY	203	/* Can set scheduler policy. */
+#define	PRIV_SCHED_SET		204	/* Can set thread scheduler. */
+#define	PRIV_SCHED_SETPARAM	205	/* Can set thread scheduler params. */
+#define	PRIV_SCHED_CPUSET	206	/* Can manipulate cpusets. */
+
+/*
+ * POSIX semaphore privileges.
+ */
+#define	PRIV_SEM_WRITE		220	/* Can override sem write perm. */
+
+/*
+ * Signal privileges.
+ */
+#define	PRIV_SIGNAL_DIFFCRED	230	/* Exempt signalling other users. */
+#define	PRIV_SIGNAL_SUGID	231	/* Non-conserv signal setuid proc. */
+
+/*
+ * Sysctl privileges.
+ */
+#define	PRIV_SYSCTL_DEBUG	240	/* Can invoke sysctl.debug. */
+#define	PRIV_SYSCTL_WRITE	241	/* Can write sysctls. */
+#define	PRIV_SYSCTL_WRITEJAIL	242	/* Can write sysctls, jail permitted. */
+
+/*
+ * TTY privileges.
+ */
+#define	PRIV_TTY_CONSOLE	250	/* Set console to tty. */
+#define	PRIV_TTY_DRAINWAIT	251	/* Set tty drain wait time. */
+#define	PRIV_TTY_DTRWAIT	252	/* Set DTR wait on tty. */
+#define	PRIV_TTY_EXCLUSIVE	253	/* Override tty exclusive flag. */
+#define	PRIV_TTY_PRISON		254	/* Can open pts across jails. */
+#define	PRIV_TTY_STI		255	/* Simulate input on another tty. */
+#define	PRIV_TTY_SETA		256	/* Set tty termios structure. */
+
+/*
+ * UFS-specific privileges.
+ */
+#define	PRIV_UFS_EXTATTRCTL	270	/* Can configure EAs on UFS1. */
+#define	PRIV_UFS_QUOTAOFF	271	/* quotaoff(). */
+#define	PRIV_UFS_QUOTAON	272	/* quotaon(). */
+#define	PRIV_UFS_SETUSE		273	/* setuse(). */
+
+/*
+ * ZFS-specific privileges.
+ */
+#define	PRIV_ZFS_POOL_CONFIG	280	/* Can configure ZFS pools. */
+#define	PRIV_ZFS_INJECT		281	/* Can inject faults in the ZFS fault
+					   injection framework. */
+#define	PRIV_ZFS_JAIL		282	/* Can attach/detach ZFS file systems
+					   to/from jails. */
+
+/*
+ * NFS-specific privileges.
+ */
+#define	PRIV_NFS_DAEMON		290	/* Can become the NFS daemon. */
+#define	PRIV_NFS_LOCKD		291	/* Can become NFS lock daemon. */
+
+/*
+ * VFS privileges.
+ */
+#define	PRIV_VFS_READ		310	/* Override vnode DAC read perm. */
+#define	PRIV_VFS_WRITE		311	/* Override vnode DAC write perm. */
+#define	PRIV_VFS_ADMIN		312	/* Override vnode DAC admin perm. */
+#define	PRIV_VFS_EXEC		313	/* Override vnode DAC exec perm. */
+#define	PRIV_VFS_LOOKUP		314	/* Override vnode DAC lookup perm. */
+#define	PRIV_VFS_BLOCKRESERVE	315	/* Can use free block reserve. */
+#define	PRIV_VFS_CHFLAGS_DEV	316	/* Can chflags() a device node. */
+#define	PRIV_VFS_CHOWN		317	/* Can set user; group to non-member. */
+#define	PRIV_VFS_CHROOT		318	/* chroot(). */
+#define	PRIV_VFS_RETAINSUGID	319	/* Can retain sugid bits on change. */
+#define	PRIV_VFS_EXCEEDQUOTA	320	/* Exempt from quota restrictions. */
+#define	PRIV_VFS_EXTATTR_SYSTEM	321	/* Operate on system EA namespace. */
+#define	PRIV_VFS_FCHROOT	322	/* fchroot(). */
+#define	PRIV_VFS_FHOPEN		323	/* Can fhopen(). */
+#define	PRIV_VFS_FHSTAT		324	/* Can fhstat(). */
+#define	PRIV_VFS_FHSTATFS	325	/* Can fhstatfs(). */
+#define	PRIV_VFS_GENERATION	326	/* stat() returns generation number. */
+#define	PRIV_VFS_GETFH		327	/* Can retrieve file handles. */
+#define	PRIV_VFS_GETQUOTA	328	/* getquota(). */
+#define	PRIV_VFS_LINK		329	/* bsd.hardlink_check_uid */
+#define	PRIV_VFS_MKNOD_BAD	330	/* Can mknod() to mark bad inodes. */
+#define	PRIV_VFS_MKNOD_DEV	331	/* Can mknod() to create dev nodes. */
+#define	PRIV_VFS_MKNOD_WHT	332	/* Can mknod() to create whiteout. */
+#define	PRIV_VFS_MOUNT		333	/* Can mount(). */
+#define	PRIV_VFS_MOUNT_OWNER	334	/* Can manage other users' file systems. */
+#define	PRIV_VFS_MOUNT_EXPORTED	335	/* Can set MNT_EXPORTED on mount. */
+#define	PRIV_VFS_MOUNT_PERM	336	/* Override dev node perms at mount. */
+#define	PRIV_VFS_MOUNT_SUIDDIR	337	/* Can set MNT_SUIDDIR on mount. */
+#define	PRIV_VFS_MOUNT_NONUSER	338	/* Can perform a non-user mount. */
+#define	PRIV_VFS_SETGID		339	/* Can setgid if not in group. */
+#define	PRIV_VFS_SETQUOTA	340	/* setquota(). */
+#define	PRIV_VFS_STICKYFILE	341	/* Can set sticky bit on file. */
+#define	PRIV_VFS_SYSFLAGS	342	/* Can modify system flags. */
+#define	PRIV_VFS_UNMOUNT	343	/* Can unmount(). */
+#define	PRIV_VFS_STAT		344	/* Override vnode MAC stat perm. */
+
+/*
+ * Virtual memory privileges.
+ */
+#define	PRIV_VM_MADV_PROTECT	360	/* Can set MADV_PROTECT. */
+#define	PRIV_VM_MLOCK		361	/* Can mlock(), mlockall(). */
+#define	PRIV_VM_MUNLOCK		362	/* Can munlock(), munlockall(). */
+
+/*
+ * Device file system privileges.
+ */
+#define	PRIV_DEVFS_RULE		370	/* Can manage devfs rules. */
+#define	PRIV_DEVFS_SYMLINK	371	/* Can create symlinks in devfs. */
+
+/*
+ * Random number generator privileges.
+ */
+#define	PRIV_RANDOM_RESEED	380	/* Closing /dev/random reseeds. */
+
+/*
+ * Network stack privileges.
+ */
+#define	PRIV_NET_BRIDGE		390	/* Administer bridge. */
+#define	PRIV_NET_GRE		391	/* Administer GRE. */
+#define	PRIV_NET_PPP		392	/* Administer PPP. */
+#define	PRIV_NET_SLIP		393	/* Administer SLIP. */
+#define	PRIV_NET_BPF		394	/* Monitor BPF. */
+#define	PRIV_NET_RAW		395	/* Open raw socket. */
+#define	PRIV_NET_ROUTE		396	/* Administer routing. */
+#define	PRIV_NET_TAP		397	/* Can open tap device. */
+#define	PRIV_NET_SETIFMTU	398	/* Set interface MTU. */
+#define	PRIV_NET_SETIFFLAGS	399	/* Set interface flags. */
+#define	PRIV_NET_SETIFCAP	400	/* Set interface capabilities. */
+#define	PRIV_NET_SETIFNAME	401	/* Set interface name. */
+#define	PRIV_NET_SETIFMETRIC	402	/* Set interface metrics. */
+#define	PRIV_NET_SETIFPHYS	403	/* Set interface physical layer prop. */
+#define	PRIV_NET_SETIFMAC	404	/* Set interface MAC label. */
+#define	PRIV_NET_ADDMULTI	405	/* Add multicast addr. to ifnet. */
+#define	PRIV_NET_DELMULTI	406	/* Delete multicast addr. from ifnet. */
+#define	PRIV_NET_HWIOCTL	407	/* Issue hardware ioctl on ifnet. */
+#define	PRIV_NET_SETLLADDR	408	/* Set interface link-level address. */
+#define	PRIV_NET_ADDIFGROUP	409	/* Add new interface group. */
+#define	PRIV_NET_DELIFGROUP	410	/* Delete interface group. */
+#define	PRIV_NET_IFCREATE	411	/* Create cloned interface. */
+#define	PRIV_NET_IFDESTROY	412	/* Destroy cloned interface. */
+#define	PRIV_NET_ADDIFADDR	413	/* Add protocol addr to interface. */
+#define	PRIV_NET_DELIFADDR	414	/* Delete protocol addr on interface. */
+#define	PRIV_NET_LAGG		415	/* Administer lagg interface. */
+
+/*
+ * 802.11-related privileges.
+ */
+#define	PRIV_NET80211_GETKEY	440	/* Query 802.11 keys. */
+#define	PRIV_NET80211_MANAGE	441	/* Administer 802.11. */
+
+/*
+ * AppleTalk privileges.
+ */
+#define	PRIV_NETATALK_RESERVEDPORT	450	/* Bind low port number. */
+
+/*
+ * ATM privileges.
+ */
+#define	PRIV_NETATM_CFG		460
+#define	PRIV_NETATM_ADD		461
+#define	PRIV_NETATM_DEL		462
+#define	PRIV_NETATM_SET		463
+
+/*
+ * Bluetooth privileges.
+ */
+#define	PRIV_NETBLUETOOTH_RAW	470	/* Open raw bluetooth socket. */
+
+/*
+ * Netgraph and netgraph module privileges.
+ */
+#define	PRIV_NETGRAPH_CONTROL	480	/* Open netgraph control socket. */
+#define	PRIV_NETGRAPH_TTY	481	/* Configure tty for netgraph. */
+
+/*
+ * IPv4 and IPv6 privileges.
+ */
+#define	PRIV_NETINET_RESERVEDPORT	490	/* Bind low port number. */
+#define	PRIV_NETINET_IPFW	491	/* Administer IPFW firewall. */
+#define	PRIV_NETINET_DIVERT	492	/* Open IP divert socket. */
+#define	PRIV_NETINET_PF		493	/* Administer pf firewall. */
+#define	PRIV_NETINET_DUMMYNET	494	/* Administer DUMMYNET. */
+#define	PRIV_NETINET_CARP	495	/* Administer CARP. */
+#define	PRIV_NETINET_MROUTE	496	/* Administer multicast routing. */
+#define	PRIV_NETINET_RAW	497	/* Open netinet raw socket. */
+#define	PRIV_NETINET_GETCRED	498	/* Query netinet pcb credentials. */
+#define	PRIV_NETINET_ADDRCTRL6	499	/* Administer IPv6 address scopes. */
+#define	PRIV_NETINET_ND6	500	/* Administer IPv6 neighbor disc. */
+#define	PRIV_NETINET_SCOPE6	501	/* Administer IPv6 address scopes. */
+#define	PRIV_NETINET_ALIFETIME6	502	/* Administer IPv6 address lifetimes. */
+#define	PRIV_NETINET_IPSEC	503	/* Administer IPSEC. */
+#define	PRIV_NETINET_REUSEPORT	504	/* Allow [rapid] port/address reuse. */
+#define	PRIV_NETINET_SETHDROPTS	505	/* Set certain IPv4/6 header options. */
+
+/*
+ * IPX/SPX privileges.
+ */
+#define	PRIV_NETIPX_RESERVEDPORT	520	/* Bind low port number. */
+#define	PRIV_NETIPX_RAW		521	/* Open netipx raw socket. */
+
+/*
+ * NCP privileges.
+ */
+#define	PRIV_NETNCP		530	/* Use another user's connection. */
+
+/*
+ * SMB privileges.
+ */
+#define	PRIV_NETSMB		540	/* Use another user's connection. */
+
+/*
+ * VM86 privileges.
+ */
+#define	PRIV_VM86_INTCALL	550	/* Allow invoking vm86 int handlers. */
+
+/*
+ * Set of reserved privilege values, which will be allocated to code as
+ * needed, in order to avoid renumbering later privileges due to insertion.
+ */
+#define	_PRIV_RESERVED0		560
+#define	_PRIV_RESERVED1		561
+#define	_PRIV_RESERVED2		562
+#define	_PRIV_RESERVED3		563
+#define	_PRIV_RESERVED4		564
+#define	_PRIV_RESERVED5		565
+#define	_PRIV_RESERVED6		566
+#define	_PRIV_RESERVED7		567
+#define	_PRIV_RESERVED8		568
+#define	_PRIV_RESERVED9		569
+#define	_PRIV_RESERVED10	570
+#define	_PRIV_RESERVED11	571
+#define	_PRIV_RESERVED12	572
+#define	_PRIV_RESERVED13	573
+#define	_PRIV_RESERVED14	574
+#define	_PRIV_RESERVED15	575
+
+/*
+ * Define a set of valid privilege numbers that can be used by loadable
+ * modules that don't yet have privilege reservations.  Ideally, these should
+ * not be used, since their meaning is opaque to any policies that are aware
+ * of specific privileges, such as jail, and as such may be arbitrarily
+ * denied.
+ */
+#define	PRIV_MODULE0		600
+#define	PRIV_MODULE1		601
+#define	PRIV_MODULE2		602
+#define	PRIV_MODULE3		603
+#define	PRIV_MODULE4		604
+#define	PRIV_MODULE5		605
+#define	PRIV_MODULE6		606
+#define	PRIV_MODULE7		607
+#define	PRIV_MODULE8		608
+#define	PRIV_MODULE9		609
+#define	PRIV_MODULE10		610
+#define	PRIV_MODULE11		611
+#define	PRIV_MODULE12		612
+#define	PRIV_MODULE13		613
+#define	PRIV_MODULE14		614
+#define	PRIV_MODULE15		615
+
+/*
+ * DDB(4) privileges.
+ */
+#define	PRIV_DDB_CAPTURE	620	/* Allow reading of DDB capture log. */
+
+/*
+ * Arla/nnpfs privileges.
+ */
+#define	PRIV_NNPFS_DEBUG	630	/* Perforn ARLA_VIOC_NNPFSDEBUG. */
+
+/*
+ * cpuctl(4) privileges.
+ */
+#define PRIV_CPUCTL_WRMSR	640	/* Write model-specific register. */
+#define PRIV_CPUCTL_UPDATE	641	/* Update cpu microcode. */
+
+/*
+ * Track end of privilege list.
+ */
+#define	_PRIV_HIGHEST		642
+
+/*
+ * Validate that a named privilege is known by the privilege system.  Invalid
+ * privileges presented to the privilege system by a priv_check interface
+ * will result in a panic.  This is only approximate due to sparse allocation
+ * of the privilege space.
+ */
+#define	PRIV_VALID(x)	((x) > _PRIV_LOWEST && (x) < _PRIV_HIGHEST)
+
+#ifdef _KERNEL
+/*
+ * Privilege check interfaces, modeled after historic suser() interfacs, but
+ * with the addition of a specific privilege name.  No flags are currently
+ * defined for the API.  Historically, flags specified using the real uid
+ * instead of the effective uid, and whether or not the check should be
+ * allowed in jail.
+ */
+struct thread;
+struct ucred;
+int	priv_check(struct thread *td, int priv);
+int	priv_check_cred(struct ucred *cred, int priv, int flags);
+#endif
+
+#endif /* !_SYS_PRIV_H_ */


[Date Prev][Date Next]  [Thread Prev][Thread Next]  [Date Index][Thread Index]